Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple virus/malware problems


  • This topic is locked This topic is locked
8 replies to this topic

#1 csice

csice

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 26 June 2009 - 04:43 PM

Like I said, my Pioneer 115d dvd rw drive won't recognize blank disks. Also, google gets hijacked and the links take me to random, incorrect pages. Lastly, my copy of malwarebytes that I am trying to use to fix the problems won't open. Oh ya, I doubt it has anything to do with this, but I can't boot in safe mode either. Here is my HJT, it's long, hope I did it right. Thanks for any help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:05 PM, on 6/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
D:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\imapi.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\IoctlSvc.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\TVersity\Media Server\MediaServer.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Razer\razerhid.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
D:\Program Files\uTorrent.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Razer\razerofa.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\AIM6\aim6.exe
D:\Program Files\AIM6\aolsoftware.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - D:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [razer] D:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [LifeChat] "D:\Program Files\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] D:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "D:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [36X Raid Configurer] D:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKCU\..\Run: [uTorrent] "D:\Program Files\uTorrent.exe"
O4 - HKCU\..\Run: [P2kAutostart] V600
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - S-1-5-18 Startup: TVersity Media Server.lnk = D:\Program Files\TVersity\Media Server\web\admin\TVersity.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: TVersity Media Server.lnk = D:\Program Files\TVersity\Media Server\web\admin\TVersity.exe (User 'Default user')
O4 - Startup: TVersity Media Server.lnk = D:\Program Files\TVersity\Media Server\web\admin\TVersity.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} (CCAWebLogin Control) - https://munacsri.marshall.edu/auth/CCALogin.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1BA8AB8-CA76-44DA-B73C-FFB122C452EE}: NameServer = 85.255.112.69,85.255.112.209
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.69,85.255.112.209
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.69,85.255.112.209
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.69,85.255.112.209
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - D:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Symantec Eraser Service (EraserSvc10910) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: GAM - Unknown owner - D:\DOCUME~1\CODY~1.COD\LOCALS~1\Temp\GAM.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: MBAMService - Unknown owner - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (file missing)
O23 - Service: NBService - Unknown owner - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - D:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - D:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: TVersityMediaServer - Unknown owner - D:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - D:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 10154 bytes

BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:08:20 PM

Posted 01 July 2009 - 11:16 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 csice

csice
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 02 July 2009 - 06:46 PM

I have a few issues:

My Pioneer 115d dvd rw drive will not recognize blank disks. I did download the newest version of firmware, but when I try to extract the self-extracting file anywhere, it says available target not found.

I get hijacked at google. When clicking links, it will take me to incorrect, random sites once or twice before allowing me to go to the correct page. I have downloaded malwarebytes, but it will not run when I try to open it, nothing happens, I just get a load icon for a second. I tried to open it in safe mode, but I am unable to boot in safe mode. I have tried pressing F8 upon restart, but nothing happens. I have tried to do it manually in the msconfig boot tab, but I have no boot tab.

Attached Files

  • Attached File  log.zip   2.73KB   5 downloads
  • Attached File  log2.zip   4.48KB   3 downloads


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:20 AM

Posted 04 July 2009 - 08:50 PM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.
Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case uTorrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.


Let's see if we can get Malwarebytes to run. First you need to make sure you can see file extensions.

1. Double-click on the My Computer icon.
2. Select the Tools menu and click Folder Options.
3. After the new window appears select the View tab.
4. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
5. Press the Apply button and then the OK button.

Now right click on mbam.exe and select rename, then rename it to scumremover.exe, if that doesn't work try scumremover.bat.
Then try to run it again, if it runs perform a full scan and post back with the log.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM log
  • log.txt
  • info.txt
Thanks

unite.jpg


#5 csice

csice
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 05 July 2009 - 03:08 PM

Renaming the files did not work unfortunately.

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:20 AM

Posted 05 July 2009 - 05:44 PM

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Then post back the Gmer log and and both Rsit logs.

Thanks

unite.jpg


#7 csice

csice
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 05 July 2009 - 09:29 PM

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-05 22:28:14
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8A4C53F8 ZwConnectPort
SSDT sptd.sys ZwCreateKey [0xF74ED0D0]
SSDT sptd.sys ZwEnumerateKey [0xF74F2FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF74F3340]
SSDT sptd.sys ZwOpenKey [0xF74ED0B0]
SSDT \??\D:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenProcess [0xACF47C90]
SSDT \??\D:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwOpenThread [0xACF47D7E]
SSDT sptd.sys ZwQueryKey [0xF74F3418]
SSDT sptd.sys ZwQueryValueKey [0xF74F3298]
SSDT sptd.sys ZwSetValueKey [0xF74F34AA]
SSDT \??\D:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateProcess [0xACF47BF4]
SSDT \??\D:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender S.R.L.) ZwTerminateThread [0xACF47EC4]

Code 8A3F2580 ZwFlushInstructionCache
Code 8A3F159E IofCallDriver
Code 8A3F139E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 8A3F15A3
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 8A3F13A3
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP 8A3F2584
? D:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B9CE18AC 5 Bytes JMP 8A6051C8
? System32\Drivers\aquwedd3.SYS The system cannot find the path specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F750406C] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7504018] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F75269AE] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F750406C] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74EDAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74EDC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74EDB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74EE748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74EE61E] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A7D61E8

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\usbuhci \Device\USBPDO-0 8A6041E8
Device \Driver\usbuhci \Device\USBPDO-1 8A6041E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A7D81E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A7D81E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A7D81E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A7D81E8
Device \Driver\usbehci \Device\USBPDO-2 8A6291E8
Device \Driver\usbuhci \Device\USBPDO-3 8A6041E8
Device \Driver\usbuhci \Device\USBPDO-4 8A6041E8
Device \Driver\PCI_NTPNP6514 \Device\00000055 sptd.sys
Device \Driver\PCI_NTPNP6514 \Device\00000055 sptd.sys

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\usbuhci \Device\USBPDO-5 8A6041E8
Device \Driver\usbehci \Device\USBPDO-6 8A6291E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A84A1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A84A1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A432790
Device \Driver\NetBT \Device\NetbiosSmb 8A432790

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\usbuhci \Device\USBFDO-0 8A6041E8
Device \Driver\usbuhci \Device\USBFDO-1 8A6041E8
Device \Driver\usbehci \Device\USBFDO-2 8A6291E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89DD5790
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89DD5790
Device \Driver\usbuhci \Device\USBFDO-3 8A6041E8
Device \Driver\usbuhci \Device\USBFDO-4 8A6041E8
Device \Driver\Ftdisk \Device\FtControl 8A84A1E8
Device \Driver\usbuhci \Device\USBFDO-5 8A6041E8
Device \Driver\usbehci \Device\USBFDO-6 8A6291E8
Device \Driver\aquwedd3 \Device\Scsi\aquwedd31 8A4A7790
Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target0Lun0 8A7D71E8
Device \Driver\aquwedd3 \Device\Scsi\aquwedd31Port5Path0Target0Lun0 8A4A7790
Device \Driver\JRAID \Device\Scsi\JRAID1 8A7D71E8
Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target1Lun0 8A7D71E8
Device \FileSystem\Cdfs \Cdfs 89DEF790
---- Processes - GMER 1.0.15 ----

Library D:\Program (*** hidden *** ) @ D:\Program [284] 0x00400000
Library \\?\globalroot\systemroot\system32\gxvxccbtwmksgloakkqpfnrfrtmtowvagdxuf.dll (*** hidden *** ) @ D:\Program Files\Mozilla Firefox\firefox.exe [956] 0x10000000
Library D:\Program (*** hidden *** ) @ D:\Program [3272] 0x00400000

---- Services - GMER 1.0.15 ----

Service system32\drivers\gaopdxkrsuhgkh.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!
Service D:\WINDOWS\system32\drivers\gxvxcuhtodconchmwspqxapltqqdhctkuairg.sys (*** hidden *** ) [SYSTEM] gxvxcserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxkrsuhgkh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxkrsuhgkh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxxalhycxl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcuhtodconchmwspqxapltqqdhctkuairg.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcuhtodconchmwspqxapltqqdhctkuairg.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxccbtwmksgloakkqpfnrfrtmtowvagdxuf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1526415412
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1586885067
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEB 0x57 0x6D 0x3E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x19 0xAD 0x52 0xB9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x80 0x15 0x9A 0xEC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEA 0xBA 0x38 0xBA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x9B 0xCE 0xBD 0x96 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x48 0x81 0xF2 0xF7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEB 0x57 0x6D 0x3E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x19 0xAD 0x52 0xB9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x80 0x15 0x9A 0xEC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x8D 0x33 0x3B 0x48 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x9B 0xCE 0xBD 0x96 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x48 0x81 0xF2 0xF7 ...
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxkrsuhgkh.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxkrsuhgkh.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxxalhycxl.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcuhtodconchmwspqxapltqqdhctkuairg.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcuhtodconchmwspqxapltqqdhctkuairg.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxccbtwmksgloakkqpfnrfrtmtowvagdxuf.dll
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEB 0x57 0x6D 0x3E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x19 0xAD 0x52 0xB9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x80 0x15 0x9A 0xEC ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xEA 0xBA 0x38 0xBA ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x9B 0xCE 0xBD 0x96 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x48 0x81 0xF2 0xF7 ...

---- Files - GMER 1.0.15 ----

File D:\WINDOWS\system32\drivers\gxvxcuhtodconchmwspqxapltqqdhctkuairg.sys 62208 bytes executable <-- ROOTKIT !!!
File D:\WINDOWS\system32\gxvxccbtwmksgloakkqpfnrfrtmtowvagdxuf.dll 26625 bytes executable
File D:\WINDOWS\system32\gxvxccounter 4 bytes

---- EOF - GMER 1.0.15 ----

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:20 AM

Posted 05 July 2009 - 09:37 PM

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.


We will begin with ComboFix.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#9 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:20 AM

Posted 10 July 2009 - 06:57 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users