Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox keeps redirecting, Msn keeps signing out and I'm not sure Malwarebytes is working anymore.


  • This topic is locked This topic is locked
20 replies to this topic

#1 KRose

KRose

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 04 June 2009 - 10:19 AM

Hello!
I'm new here, so if I should be posting things I haven't let me know.
I'm pretty sure I'm infected. I'm running Windows XP Home (SP3) and it's on an Asus EEE PC, so I can't do a reformat on my own. (no optical drives)
I use Symantec (school policy) on this computer but it isn't appearing on the taskbar.
I have some sort of browser redirecting going on. I google things on firefox and get redirected. Symantec caught it first, as the free version of Malwarebytes doesn't run without your clicking "scan". I already installed Malwarebytes well before this redirecting problem. It caught some things then asked me to restart the computer. I did, ran Malwarebytes again to find "no malicious items". Caught nothing using Quick Scan or Full Scan But I still had the redirecting problem. I hit the update option on Malwarebytes and it updated very quickly. I did it again and it updated yet again. I used IE and tried to download firefox (so i could uninstall,reinstall) but IE said it was "not possible with the current security settings". I attempted downloading via Firefox itself. I've set it up so I always get asked where Firefox should download to so I can see the file name before I download. Anyways, the files would come up something like mozilla.mirror_jp...really mysterious as I was trying to get the US version, in English. I put Malwarebytes on a USB stick (using a different computer) and ran it on this computer and it caught a dozen things. Malwalrebytes deleted all of them but two which were "msb.dll" and "nsrbgxod.exe". I deleted them using Unlocker, as by now I just didn't trust Malwarebytes as completely as I did before.
When I installed Malwarebytes, I made it install from the USB in F to the USB in F, and I unselected "update Malwarebytes", the option above "Launch Malwarebytes" which I left checked.
Malwarebytes is still coming up with nothing and I haven't reinstalled MSN yet, but I'm still getting redirected. If I google Malwarebytes, it'll let me go to Malwarebytes.org. But if I try to go to the CNET download page for Malwarebytes, I'll get redirected to a site that is blank and with a green netted sphere shape before the URL. If I google reformatting, left clicking what looks like a legit link (or even trying to open a "cached" in a new tab) will take me to a site about gaming or about getting malware off your PC like "malware removal bot". I close these sites immediately and haven't clicked on anything they have, clearly they're malware.
I have tried uninstalling Firefox and WLM via the change/remove programs and put the installer for Firefox on the USB key and installed that way. Didn't work.
I'm also having problems with Windows Live Messenger. I sign it and it signs out in about ten seconds. So I can't get help that way. Argh. I also notice that the little yellow Symantec icon is missing from the taskbar. Uh oh....
I'm going to be really miserable to reformat this computer as I haven't had it for very long, and I'm surprised how quickly it got infected.
I cannot download things the normal way and I have to cut and paste URLs from Google search to avoid the redirect. If it helps any, the redirect pages often have green netted spheres before the URL in the way this page has a blue square....I'm guessing I'd have to download things via USB key from another computer, but you're the experts. Please be patient with me, I'm new and if there's details like installing to different drives or not selecting things, point this out, I won't know.

BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:29 AM

Posted 04 June 2009 - 02:52 PM

hello please scan and post back the logs..

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Some types of malware will disable MBAM (MalwareBytes) and other security tools. If MBAM will not install, try renaming it.

Before saving any of your security programs, rename them first. For example, before you save Malwarebytes', rename it to something like MBblah.exe and then click on Save and save it to your desktop. Same thing after you install it. Before running it, rename the main executable file first
***
Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run..


***
Another work around is by not using the mouse to install it, Just use the arrow keys, tab, and enter keys.
***
Open up command prompt, type in following commands:
XP >> click the Start menu at the lower-left of your computer's desktop and select "Run". Type cmd into the Run box and click "OK".
Vista >> click the Start menu at the lower-left of your computer's desktop and Type cmd in the search box.

regsvr32 mbamext.dll
regsvr32 ssubtmr6.dll
regsvr32 vbalsgrid6.ocx
regsvr32 zlib.dll

****

If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.

Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

***
Try this random renamer for MBAM
http://kixhelp.com/wr/files/mb/randmbam.exe
****
Try using a System Retore Point prior to the date of infection. You may be able to update and run MBam. Note this did not remove the malware.
Windows XP System Restore Guide



Next run ATF and SAS:
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 KRose

KRose
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 04 June 2009 - 04:01 PM

Thanks guys :thumbsup:

Okay, here's what I got:

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

04/06/2009 4:08:16 PM
mbam-log-2009-06-04 (16-08-16).txt

Scan type: Quick Scan
Objects scanned: 82650
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I ran ATF-Cleaner and the Firefox and Opera options were greyed out. But I selected all on main.
Is that alright?
I selected all, and it said "Done Cleaning! ATF CLEANER has freed 2,588.000 KBs".


Ok...from the SuperAntiSpyware:

Core Rules Database Version : 3910
Trace Rules Database Version: 1854

Scan type : Complete Scan
Total Scan Time : 00:31:08

Memory items scanned : 253
Memory threats detected : 0
Registry items scanned : 4632
Registry threats detected : 0
File items scanned : 35349
File threats detected : 1

Worm.SASSER-E
C:\WINDOWS\SYSTEM32\LSASSS.EXE


I rebooted, shut down and booted in safe mode again, got this:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/04/2009 at 04:52 PM

Application Version : 4.26.1004

Core Rules Database Version : 3910
Trace Rules Database Version: 1854

Scan type : Complete Scan
Total Scan Time : 00:31:11

Memory items scanned : 251
Memory threats detected : 0
Registry items scanned : 4631
Registry threats detected : 0
File items scanned : 35093
File threats detected : 0

I'm using a different computer, but I took installers from this computer onto USB and did all the things on the computer in question. I took the mbam log and saved it as a txt onto USB
Wow...maybe this is not as bad as I feel it is? Should I try to get Firefox/MSN? The laptop is beside me, running in safe mode.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:29 AM

Posted 04 June 2009 - 04:08 PM

Ok, yes it all went OK... You should try it out. As you had a worm. you may want to reinstall the MSN application and change your password.
Let me know how things a re running after that.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 KRose

KRose
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 04 June 2009 - 05:15 PM

Ok, yes it all went OK... You should try it out. As you had a worm. you may want to reinstall the MSN application and change your password.
Let me know how things a re running after that.


I just reinstalled Firefox and I'm still getting redirected. I'm using the Cnet Malwarebytes download page from google searh results as a test. :thumbsup:
Haven't tried getting MSN yet. Firefox matters more.

Ooh! I also downloaded avast! and installed it and it says there are suspicious files:
File Path- C://WINDOWS\system32\Drivers\kungsfrqhfunmt.sys Type- Rootkit: hidden file

and

File Path: C://WINDOWS\system32\Drivers\kungsfrqhfunmt.sys Type- hidden services

Should I try uninstalling Firefox via a different route than the usual Add/Remove programs from Control Panel?
Deleting the sys' and rebooting now.

#6 KRose

KRose
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 04 June 2009 - 05:51 PM

Updating:
On reboot, avast scanned, and there was
protect.dll
kungsfrqhfunmt.sys
kungsfmafsxwak.dll
kungsfmxnvatao.dll
kungsfvorpthwwm.tmp

the message would go:
C://WINDOWS\system32\Drivers\_______ is infected by win32:Alureon-BH [Rtk]

I selected delete for all of them. avast prompted me for most "file is in windows folder, are you sure?", and I'd hit yes again and avast would say it was deleted.

Now restarting again. >_<

Also, when I hit the power button the Windows logo with the scrolling blue bar, it appears choppily from a black screen instead of a smooth fade in. After that last scan that had all of the kungsf___ stuff, the windows logo came in like normal.

I have no idea what to do next. Will attempt a scan with avast!. (Right clicked C:// from My Computer and hit the avast logo to scan).

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:29 AM

Posted 04 June 2009 - 05:54 PM

Hello you have a new malware. Let's see if it has more rootkits. FireFox is best removing thru the COntrol Panel or it's own Uninstaller in All Programs.
Please run RootRepeal - Rootkit Detector

Please download: RootRepeal .
Direct download link is here: RootRepeal.rar.
If you need a program to open a .RAR compressed file. Download a trial version from here: WinRAR.

Extract the program file to a new folder such as C:\RootRepeal.
Run RootRepeal.exe and go to the REPORT tab and click the Scan button.
Select ALL of the checkboxes and then click OK and the scan will start.
If you have multiple drives you only need to check the C: drive or the drive which Windows is installed to.
When done, click on Save Report.
Save it to the same location where you ran it from above, such as C:\RootRepeal
Save it as your_name_rootrepeal.txt - where your_name is your forum name
This makes it more easy to track who the log belongs to.
Now open that log and select all and copy/paste it back on your next reply please.
Quit the RootRepeal program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 KRose

KRose
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 04 June 2009 - 06:08 PM

Oh boy, non-English characters/symbols...:S

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/04 18:59
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA3C4F000 Size: 892928 File Visible: No Signed: -
Status: -

Name: kungsfrqhfunmt.sys
Image Path: C:\WINDOWS\system32\drivers\kungsfrqhfunmt.sys
Address: 0xB4750000 Size: 512 File Visible: No Signed: -
Status: -

Name: PCI_PNP7812
Image Path: \Driver\PCI_PNP7812
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA141B000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spun.sys
Image Path: spun.sys
Address: 0xB9EA6000 Size: 1052672 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_65c.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090603.004\EraserUtilDrv10910.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x886136a0

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x886136d8

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x886ce840

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa3d316b8

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x892c98f8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa3d31574

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x887fa8b0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x886131a0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xa3eda350

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa3d3114c

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spun.sys" at address 0xb9ec5ca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spun.sys" at address 0xb9ec6032

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x891c2750

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x887fa970

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x886ce778

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x88604290

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x887fa878

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa3d3164e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa3d3108c

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x88756240

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa3d310f0

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x886eb880

#: 160 Function Name: NtQueryKey
Status: Hooked by "spun.sys" at address 0xb9ec610a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x885243e0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa3d3172e

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8862c810

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x887f98b8

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8862d688

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8860e8b0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xa3eda580

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x88524320

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8860e878

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa3e4bdf0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8872aa18

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8872f560

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x886ce7b0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x89dd51f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x89204500 Size: 121

Object: Hidden Code [Driver: aqolray5؅౨瑎晦܂ੈ, IRP_MJ_CREATE]
Process: System Address: 0x890c21f8 Size: 121

Object: Hidden Code [Driver: aqolray5؅౨瑎晦܂ੈ, IRP_MJ_CLOSE]
Process: System Address: 0x890c21f8 Size: 121

Object: Hidden Code [Driver: aqolray5؅౨瑎晦܂ੈ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x890c21f8 Size: 121

Object: Hidden Code [Driver: aqolray5؅౨瑎晦܂ੈ, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x890c21f8 Size: 121

Object: Hidden Code [Driver: aqolray5؅౨瑎晦܂ੈ, IRP_MJ_POWER]
Process: System Address: 0x890c21f8 Size: 121

Object: Hidden Code [Driver: aqolray5؅౨瑎晦܂ੈ, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x890c21f8 Size: 121

Object: Hidden Code [Driver: aqolray5؅౨瑎晦܂ੈ, IRP_MJ_PNP]
Process: System Address: 0x890c21f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x8932e1f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x8932e1f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x8932e1f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x8932e1f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8932e1f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8932e1f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x8932e1f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8932e1f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x8932e1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89119500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89119500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89119500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89119500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89119500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89119500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89119500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89119500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89119500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89119500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89119500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x891111f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x891111f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x891111f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x891111f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x891111f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x891111f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x891111f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x89dd71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x89dd71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x89dd71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89dd71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89dd71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89dd71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89dd71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x89dd71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x89dd71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89dd71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x89dd71f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8911f500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8911f500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8911f500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8911f500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8911f500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8911f500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x890e41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x890e41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x890e41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x890e41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x890e41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x890e41f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x890e41f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x893231f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఒ扏捓⑈聖〈, IRP_MJ_CREATE]
Process: System Address: 0x892a2500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఒ扏捓⑈聖〈, IRP_MJ_CLOSE]
Process: System Address: 0x892a2500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఒ扏捓⑈聖〈, IRP_MJ_READ]
Process: System Address: 0x892a2500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఒ扏捓⑈聖〈, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x892a2500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఒ扏捓⑈聖〈, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x892a2500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఒ扏捓⑈聖〈, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x892a2500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఒ扏捓⑈聖〈, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x892a2500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఒ扏捓⑈聖〈, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x892a2500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఒ扏捓⑈聖〈, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x892a2500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఒ扏捓⑈聖〈, IRP_MJ_SHUTDOWN]
Process: System Address: 0x892a2500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఒ扏捓⑈聖〈, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x892a2500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఒ扏捓⑈聖〈, IRP_MJ_CLEANUP]
Process: System Address: 0x892a2500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఒ扏捓⑈聖〈, IRP_MJ_PNP]
Process: System Address: 0x892a2500 Size: 121

Hidden Services
-------------------
Service Name: kungsfebxvwqhc
Image Path: C:\WINDOWS\system32\drivers\kungsfrqhfunmt.sys

==EOF==


What next? :thumbsup:

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:29 AM

Posted 04 June 2009 - 09:22 PM

ow the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C://WINDOWS\system32\Drivers\kungsfrqhfunmt.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 KRose

KRose
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 04 June 2009 - 10:28 PM

I can't find that file. Under the file tab it reads:
c:\hiberfil.sys
c:\program files\common files\symantec shared\virusdefs\20090603.004\EraserUtilDrv10910.sys
there are things under temporary internet files\content.ies and under mozilla\firefox\profiles, but part of the file paths include my full name, so i don't want to paste here.

oh!
i've found what you're looking for under the hidden services tab: C://WINDOWS\system32\Drivers\kungsfrqhfunmt.sys

should I do anything about the other things under the files tab?

#11 KRose

KRose
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 04 June 2009 - 10:58 PM

I right clicked the kungsfrqhfunmt.sys (under the hidden services tab) and clicked Wipe File. Said Yes to the prompt, but got an error window saying "Could not find file on disk!". >_<

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:29 AM

Posted 04 June 2009 - 11:02 PM

Hi would you mind sending it to me in a PM? How to use and send Personal Messages

I would also like to get another opinion on this rootkit by running GMER..

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Edited by boopme, 04 June 2009 - 11:14 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 KRose

KRose
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 05 June 2009 - 12:08 AM

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-05 01:05:14
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 886136A0 ZwAlertResumeThread
SSDT 886136D8 ZwAlertThread
SSDT 886CE840 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA3D316B8]
SSDT 892C98F8 ZwConnectPort
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA3D31574]
SSDT 887FA8B0 ZwCreateMutant
SSDT 886131A0 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA3EDA350]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA3D3114C]
SSDT spun.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT spun.sys ZwEnumerateValueKey [0xB9EC6032]
SSDT 891C2750 ZwFreeVirtualMemory
SSDT 887FA970 ZwImpersonateAnonymousToken
SSDT 886CE778 ZwImpersonateThread
SSDT 88604290 ZwMapViewOfSection
SSDT 887FA878 ZwOpenEvent
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA3D3164E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA3D3108C]
SSDT 88756240 ZwOpenProcessToken
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA3D310F0]
SSDT 886EB880 ZwOpenThreadToken
SSDT spun.sys ZwQueryKey [0xB9EC610A]
SSDT 885243E0 ZwQueryValueKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA3D3172E]
SSDT 8862C810 ZwResumeThread
SSDT 887F98B8 ZwSetContextThread
SSDT 8862D688 ZwSetInformationProcess
SSDT 8860E8B0 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA3EDA580]
SSDT 88524320 ZwSuspendProcess
SSDT 8860E878 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA3E4BDF0]
SSDT 8872AA18 ZwTerminateThread
SSDT 8872F560 ZwUnmapViewOfSection
SSDT 886CE7B0 ZwWriteVirtualMemory

INT 0x62 ? 89E45BF8
INT 0x63 ? 89114F00
INT 0x83 ? 89DD6BF8
INT 0xA4 ? 89114F00
INT 0xB4 ? 89114F00

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C08 805044A4 4 Bytes CALL 85E6CD15
? spun.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B4A628AC 5 Bytes JMP 891144E0
.text aqolray5.SYS B4957386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text aqolray5.SYS B49573AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text aqolray5.SYS B49573C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text aqolray5.SYS B49573C9 1 Byte [30]
.text aqolray5.SYS B49573C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
? system32\drivers\kungsfrqhfunmt.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1924] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 021B1102 F:\Unlocker\UnlockerHook.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA8042] spun.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA813E] spun.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA80C0] spun.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA8800] spun.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA86D6] spun.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB7E9C] spun.sys
IAT \SystemRoot\System32\Drivers\aqolray5.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\aqolray5.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\aqolray5.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\aqolray5.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\aqolray5.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\aqolray5.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\aqolray5.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\aqolray5.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\aqolray5.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\aqolray5.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\aqolray5.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\aqolray5.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\aqolray5.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\aqolray5.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\aqolray5.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005B0002
IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005B0000

---- Devices - GMER 1.0.15 ----

Device 89DD51F8
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device 89204500
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbehci \Device\USBPDO-0 890E41F8
Device \Driver\usbuhci \Device\USBPDO-1 891111F8
Device \Driver\usbuhci \Device\USBPDO-2 891111F8
Device \Driver\usbuhci \Device\USBPDO-3 891111F8
Device \Driver\usbuhci \Device\USBPDO-4 891111F8
Device \Driver\PCI_PNP7812 \Device\00000055 spun.sys

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)

Device \Driver\Ftdisk \Device\HarddiskVolume1 89DD71F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7E300EC5-D80E-4259-840B-ECD4D809605D} 8911F500
Device \Driver\Ftdisk \Device\HarddiskVolume2 89DD71F8
Device \Driver\Cdrom \Device\CdRom0 89119500
Device \Driver\Ftdisk \Device\HarddiskVolume3 89DD71F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 89DD71F8
Device \Driver\Cdrom \Device\CdRom3 89119500
Device \Driver\NetBT \Device\NetBt_Wins_Export 8911F500
Device \Driver\NetBT \Device\NetbiosSmb 8911F500
Device \Driver\usbstor \Device\00000087 8932E1F8
Device \Driver\usbstor \Device\00000088 8932E1F8

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)

Device \Driver\usbstor \Device\00000089 8932E1F8

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 891111F8
Device \Driver\usbuhci \Device\USBFDO-1 891111F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 893231F8
Device \Driver\usbuhci \Device\USBFDO-2 891111F8
Device 893231F8
Device \Driver\usbuhci \Device\USBFDO-3 891111F8
Device \Driver\usbehci \Device\USBFDO-4 890E41F8
Device \Driver\Ftdisk \Device\FtControl 89DD71F8
Device \Driver\sptd \Device\822399062 spun.sys
Device \Driver\aqolray5 \Device\Scsi\aqolray51Port2Path0Target0Lun0 890C21F8
Device \Driver\aqolray5 \Device\Scsi\aqolray51 890C21F8

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service system32\drivers\kungsfrqhfunmt.sys (*** hidden *** ) [SYSTEM] kungsfebxvwqhc <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfebxvwqhc@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfebxvwqhc@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfebxvwqhc@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kungsfebxvwqhc@imagepath \systemroot\system32\drivers\kungsfrqhfunmt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x89 0xE3 0xA5 0x5B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x28 0x33 0xD8 0x5D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x12 0x6A 0xC5 0xAF ...
Reg HKLM\SYSTEM\ControlSet002\Services\kungsfebxvwqhc@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\kungsfebxvwqhc@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\kungsfebxvwqhc@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\kungsfebxvwqhc@imagepath \systemroot\system32\drivers\kungsfrqhfunmt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x89 0xE3 0xA5 0x5B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x28 0x33 0xD8 0x5D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x12 0x6A 0xC5 0xAF ...

---- EOF - GMER 1.0.15 ----

also pm'ed you the root repeal stuffs.

#14 KRose

KRose
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 05 June 2009 - 08:43 AM

I've noticed some things in the C:// folder itself:
a folder that wasn't there before called Avenger. It's empty.
lsass3.exe
12065.exe
avenger.txt (never installed this program and doubt it came with it as the file was created on June the 4th)

There are other files, of course. I've googled them and they seem to check out. I'm going to delete the above.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:29 AM

Posted 05 June 2009 - 09:19 AM

Hello.. The avenger files are from a malware rootkit scanning tool. Are you the only person using this PC?.. You can delete those avenger files.
We have rootkits and malware that needs to be removed by use of specialized tools..

We need to run HJT/DDS.
Please follow this guide. Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users