Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/Malware/Rootkits on my personal Windows XP CPU


  • This topic is locked This topic is locked
4 replies to this topic

#1 DownNDirtyTN

DownNDirtyTN

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 14 October 2009 - 06:36 PM

Hello and thank you for anyone who reads this and can possibly help this poor guy out. I will try and be as detailed as possible and do anything that is asked of me in this topic. I know that I've got virus/malware/rootkits on this PC. I guess it was maybe around a couple of months ago when I realized I had a huge problem. One morning I came into the den and saw that my computer was running Windows Antivirus 2009 and a couple of other virus scanners (viruses) on my PC. I shut it down and then had a heck of a time getting it back even in working condition. I finally somehow got one of my virus scanners (AVG Antivirus) to run in Safe Mode that I thought got rid of the viruses on the PC.

After I got the PC working again by regular boot I downloaded various other programs and ran all kinds of scans and removed problem after problem. I have on my PC now the following Antivirus programs:

AVG Antivirus
Avira

Also have:

Malwarebytes
SuperAntiSpyware
Spybot
Spyware Blaster
Eusing Registry cleaner

Well, its apparent to me that I'm not doing something correctly and I've still got several issues with my PC. First, the computer is running slower than it really should be for sure. Also, running Imgburn gives me the warning that:

You've got a virus/rootkit (or similar) blocking access to the drives via SPTI.

A couple of weeks ago my PC wasn't even recognizing the DVD drive or my USB printer.

This is a home built computer done by my brother in law for me early last year. But, it has my old C: drive on it as he just moved it over. And the new 750 GB hard drive I got I just made my backup drive for junk.

I've ran a couple of virus scans and spyware scans today and its not bringing anything up at all. I looked through the forums here and tried to run RootRepeal but it gets hung on the initializing screen. I successfully ran Gmer (sp??) earlier but it seemed to also lock my computer up. I had to restart it after I ran that scan as I couldn't get into any of my programs after the scan finished.

I will run any scan necessary and do whatever it takes and wait patiently for help. I understand that it could take some time to fix this PC but I would like to get it fixed and running properly. If I've been vague at all I apologize but I don't know exactly what to put in this initial post more than what I have. I am sure I will have to post some type of logs for someone but will wait until certain one's are requested before I do anything else to this PC.

I will give my system specs if that makes any difference at all below as well.........

Microsoft Windows XP Professional
AMD Athlon 64 X2 Dual
Core Processor 6400+
3.21 Ghz, 3.50 GB RAM

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:24 PM

Posted 14 October 2009 - 09:58 PM

Let's verify with rootrepeal

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 DownNDirtyTN

DownNDirtyTN
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 15 October 2009 - 09:33 AM

Rootrepeal kept freezing so I ran Gmer instead - hope that's ok. I saw others were advised to do so if RootRepeal would not work............below is the log. Before that though maybe a bit more useful information. Seems in Google Chrome if I do a Google search I'm auto redirected to various pages instead of the one's I click. I found a remedy to that - if I right click the file and click open in new tab it always takes me to the correct link but I realize there's something causing it to do that and I shouldn't have to do that.


The scan log from Gmer...................



GMER 1.0.15.15125 - http://www.gmer.net
Rootkit scan 2009-10-15 10:29:36
Windows 5.1.2600 Service Pack 2
Running: ppngiwzr.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\fxddapoc.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB9D8B514]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB9D7A282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB9D7A474]
SSDT BA6AABCC ZwCreateThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB9D8BD00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB9D8BFB8]
SSDT spug.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT spug.sys ZwEnumerateValueKey [0xB9EC6032]
SSDT BA6AABEA ZwLoadKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB9D8A3FA]
SSDT BA6AABB8 ZwOpenProcess
SSDT BA6AABBD ZwOpenThread
SSDT spug.sys ZwQueryKey [0xB9EC610A]
SSDT spug.sys ZwQueryValueKey [0xB9EC5F8A]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB9D8C422]
SSDT BA6AABF4 ZwReplaceKey
SSDT BA6AABEF ZwRestoreKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB9D8B7D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xB9D79F32]

INT 0x62 ? 8B640BF8
INT 0x63 ? 8B640BF8
INT 0x63 ? 8B640BF8
INT 0x63 ? 8B63FBF8
INT 0x63 ? 8B640BF8
INT 0x73 ? 8B640BF8
INT 0x73 ? 8B640BF8
INT 0x73 ? 8B640BF8
INT 0x83 ? 8B640BF8
INT 0x83 ? 8B640BF8
INT 0x83 ? 8B63FBF8
INT 0x83 ? 8B640BF8
INT 0xB4 ? 8B5D0BF8
INT 0xB4 ? 8B5D0BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2D14 80503AC8 4 Bytes JMP 7EBA6AAB
? etoprsa.sys The system cannot find the file specified. !
? spug.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B8D2E62C 5 Bytes JMP 8B63F1D8
? C:\WINNT\system32\drivers\rootrepeal.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 1 Byte [28]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtMapViewOfSection + B 7C90DC60 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtOpenProcessToken + 6 7C90DD96 4 Bytes CALL 7B90F39C
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtOpenThreadTokenEx + 6 7C90DE29 4 Bytes CALL 7B90F430
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtQueryFullAttributesFile + 6 7C90DFB8 4 Bytes CALL 7B90F5BD
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 1 Byte [68]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3672] ntdll.dll!NtUnmapViewOfSection + B 7C90E96B 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 1 Byte [28]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtMapViewOfSection + B 7C90DC60 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtOpenProcessToken + 6 7C90DD96 4 Bytes CALL 7B90F39C
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtOpenThreadTokenEx + 6 7C90DE29 4 Bytes CALL 7B90F430
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtQueryFullAttributesFile + 6 7C90DFB8 4 Bytes CALL 7B90F5BD
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 1 Byte [68]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4276] ntdll.dll!NtUnmapViewOfSection + B 7C90E96B 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 1 Byte [28]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtMapViewOfSection + B 7C90DC60 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtOpenProcessToken + 6 7C90DD96 4 Bytes CALL 7B90F39C
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtOpenThreadTokenEx + 6 7C90DE29 4 Bytes CALL 7B90F430
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtQueryFullAttributesFile + 6 7C90DFB8 4 Bytes CALL 7B90F5BD
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 1 Byte [68]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5236] ntdll.dll!NtUnmapViewOfSection + B 7C90E96B 1 Byte [E2]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA8042] spug.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA813E] spug.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA80C0] spug.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA8800] spug.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA86D6] spug.sys

---- Devices - GMER 1.0.15 ----

Device 8B5CB1F8
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device 8AEFE500
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBPDO-0 8B5CD1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8B5CE1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8B5CE1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8B5CE1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8B5CE1F8
Device \Driver\usbehci \Device\USBPDO-1 8B0CB1F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\dmio \Device\HarddiskDmVolumes\PhysicalDmVolumes\RawVolume1 8B5CE1F8
Device \Driver\dmio \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume1 8B5CE1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8B6411F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8B6411F8
Device \Driver\Cdrom \Device\CdRom1 8B0CD1F8
Device \Driver\atapi \Device\Ide\IdePort0 8B6401F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-22 8B6401F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 8B6401F8
Device \Driver\atapi \Device\Ide\IdePort1 8B6401F8
Device \Driver\atapi \Device\Ide\IdePort2 8B6401F8
Device \Driver\atapi \Device\Ide\IdePort3 8B6401F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 8B6401F8
Device \Driver\atapi \Device\Ide\IdePort4 8B6401F8
Device \Driver\atapi \Device\Ide\IdePort5 8B6401F8
Device \Driver\atapi \Device\Ide\IdePort6 8B6401F8
Device \Driver\atapi \Device\Ide\IdePort7 8B6401F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-17 8B6401F8
Device \Driver\Cdrom \Device\CdRom3 8B0CD1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{10340FAE-93D2-4A2A-A27F-65DA65C43917} 8A0DB1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A0DB1F8
Device \Driver\NetBT \Device\NetbiosSmb 8A0DB1F8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBFDO-0 8B5CD1F8
Device \Driver\usbehci \Device\USBFDO-1 8B0CB1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A07D1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A07D1F8
Device \Driver\Ftdisk \Device\FtControl 8B6411F8
Device \Driver\SI3132 \Device\Scsi\SI31321 8B5CC1F8
Device \FileSystem\Fastfat \Fat 8AEFE500

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Cdfs \Cdfs 8AF00500

---- Services - GMER 1.0.15 ----

Service system32\drivers\SKYNETvhmiojnb.sys (*** hidden *** ) [DISABLED] SKYNETfuvnwyvr <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr@start 4
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr@imagepath \systemroot\system32\drivers\SKYNETvhmiojnb.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr\main@aid 10156
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETvhmiojnb.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr\modules@SKYNETcmd.dll \systemroot\system32\SKYNETqeecrnss.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr\modules@SKYNETlog.dat \systemroot\system32\SKYNETpqqmiteg.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr\modules@SKYNETwsp.dll \systemroot\system32\SKYNETqduxtivc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETfuvnwyvr\modules@SKYNET.dat \systemroot\system32\SKYNETvnylkyfv.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr@start 4
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr@imagepath \systemroot\system32\drivers\SKYNETvhmiojnb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr\main@aid 10156
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETvhmiojnb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr\modules@SKYNETcmd.dll \systemroot\system32\SKYNETqeecrnss.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr\modules@SKYNETlog.dat \systemroot\system32\SKYNETpqqmiteg.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr\modules@SKYNETwsp.dll \systemroot\system32\SKYNETqduxtivc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETfuvnwyvr\modules@SKYNET.dat \systemroot\system32\SKYNETvnylkyfv.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Nova Development\Art Explosion Publisher Pro\1.0\Wizards\Desktop\Calendars\Year on a Page\8\xbdx11 inch\Business.npp 1

#4 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:24 PM

Posted 15 October 2009 - 12:07 PM

It is confirmed. You have a rootkit - TDSS variant. This is a pretty nasty rootkit that has the abilities to steal passwords and other information. I recommend changing all on-line passwords from a clean computer.

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know. Expect a 1.5 week response time from that team.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:24 PM

Posted 23 October 2009 - 08:46 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/264595/tdss-rootkit-variant/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users