Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clamwin detections possibly suspect


  • Please log in to reply
28 replies to this topic

#1 pasha19

pasha19

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:08:22 PM

Posted 14 December 2009 - 12:33 PM

This may become a common complaint today -- Many AV products do not confirm these findings (avast, malwarebytes, superanti-spyware, spybot, a2, AD-Aware, ESET ONLINE SCANNER) (virustotal does confirm the results ONLY from clamwin(clamav) and a virus scanner that is apparently no longer available for home use) Scans occurred starting in the very early morning hours and virustotal was checked before 6AM some are just finishing now but the c:\ drive was generally clean on all but clamwin.

XP2 seems to have a shorter list; I am running XP3 on two machines and the results were very similar also I got little confirmation from a variety of sources as noted including virustotal.


This machine seldom if ever ventures onto the internet except to update malware signatures or upgrade software. (This is the second pass on a slow machine aborted after the C:\ drive was complete.




Scan Started Mon Dec 14 04:03:45 2009

-------------------------------------------------------------------------------



C:\hiberfil.sys: Permission denied

C:\WINDOWS\system32\config\default: Permission denied

C:\WINDOWS\system32\config\SAM: Permission denied

C:\WINDOWS\system32\config\SECURITY: Permission denied

C:\WINDOWS\system32\config\software: Permission denied

C:\WINDOWS\system32\config\system: Permission denied



Scanning aborted...



C:\Documents and Settings\All Users\Application Data\CFBD8779-FAAB-4357-84F2-1EC8619FADA6\Ad-AwareInstallation.res: Adware.Toolbar.Gameztar-1 FOUND

C:\Program Files\Lavasoft\Ad-Aware\Download Guard for Internet Explorer.exe: Adware.Toolbar.Gameztar-1 FOUND

C:\WINDOWS\Driver Cache\i386\driver.cab: Trojan.Rootkit-1837 FOUND

C:\WINDOWS\Driver Cache\i386\sp3.cab: Trojan.Rootkit-1835 FOUND

C:\WINDOWS\ServicePackFiles\i386\atapi.sys: Trojan.Rootkit-1835 FOUND

C:\WINDOWS\ServicePackFiles\i386\sp3.cab: Trojan.Rootkit-1835 FOUND

C:\WINDOWS\system32\drivers\atapi.sys: Trojan.Rootkit-1835 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 670315

Engine version: 0.95.3

Scanned directories: 3254

Scanned files: 30001

Infected files: 7



Data scanned: 11812.87 MB



I have a second more general use machine -- very similar results -- these resulted from clamwin updates around midnight.

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:22 PM

Posted 14 December 2009 - 08:02 PM

Hi pashi19 and welcome to BC!

I have some bad news for you. You are infected by a nasty rootkit. C:\WINDOWS\ServicePackFiles\i386\atapi.sys: Trojan.Rootkit-1835 FOUND << That line is one of its symptoms. The tools used in this part of the forums cannot clean your infection. You have two options: 1) A reformat of your computer. This is a sure method of making sure everything is cleaned. 2) you can post a DDS log in the HJt forum. The techs there use advanced tools to cleam the infection. The problem is you are looking at around two weeks for a tech to help you.

Let me know what you decide.

Thanks,
rigel


PS: please change all on-line passwords from a known clean computer. Rootkits are designed to hide and steal information.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 pasha19

pasha19
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:08:22 PM

Posted 14 December 2009 - 10:00 PM

Thanks for the answer, I was suspicious of the reports and reluctant to do something rash; but I am no longer and I will proceed as you indicate. One question in the case of a multiple drive machine is this confined to the system drive or will all drives need to be formatted. Is there somewhere where I can learn what this root kit may do so I can decide whether reformatting or waiting is the best alternative? In terms of backing up files from a drive with a system partition what is the best option for the non-system partitions (all partitions are hard partitions -- no soft partitioning software)? And how easily does this propagate from machine to machine?


While I am awaiting your answer and because I have jury duty for at least one day tomorrow probably no more than 4 I am going to post the logs and if I decide to reformat I will notify them on that link of my decision. If I am not using these machines they will be powered off and I will minimize network activity by disconnecting them except for the few times I really need access. -- like to check for answers from your site.

Thanks again for the news -- knowing is better than not knowing.

Are there any router changes (port blocking, etc) I can make to isolate this rootkit in the short term or to prevent it's return? Would an active Comixwall firewall block/slow the return of this or isolate it for the time being?

Your password change is an issue I may need to address from the library. However I store few if any passwords on the machine and have not done online banking or other financial transactions lately, so if i continue not to do those until this is fixed it would be a good thing.

One other question one of these machines is an HP machine and the recovery partition is on the drive that has the rootkit does this limit my options? I have a copy of the CD's from HP that I restored once to the recovery partition of this drive and a backup that was made from them.

If I convert Machine 2 to OpenBSD with Subversion and Samba would it be less prone to attacks like this? Because those are the only apps that machine exists to run today?

Thanks again for looking at this.

Edited by pasha19, 14 December 2009 - 11:26 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,825 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:22 AM

Posted 15 December 2009 - 07:36 AM

hi pasha19 :thumbsup:

First of all, I would like to confirm this infection with a rootkit scan.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 gmassott

gmassott

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 15 December 2009 - 09:08 AM

hi pasha19 :thumbsup:

First of all, I would like to confirm this infection with a rootkit scan.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.




Hello:

First time user/poster here. I followed the instructions above, and below are the results. Any thoughts? Is there a GMER tool to remove any infected files?

Thank you in advance.

Greg



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-15 08:59:49
Windows 5.1.2600 Service Pack 3
Running: 2i0dyy0k.exe; Driver: C:\DOCUME~1\gmassott\LOCALS~1\Temp\pwddapog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text atapi.sys!ZwSetSystemPowerState + FFE6FCD1 F74823DC 2 Bytes [B0, D4] {MOV AL, 0xd4}
.text atapi.sys!ZwSetSystemPowerState + FFE6FD12 F748241D 2 Bytes [84, D4] {TEST AH, DL}
.text atapi.sys!ZwSetSystemPowerState + FFE6FD2C F7482437 2 Bytes [9C, D4]
.text atapi.sys!ZwSetSystemPowerState + FFE6FD74 F748247F 2 Bytes [C8, DF]
.text atapi.sys!ZwSetSystemPowerState + FFE6FD8B F7482496 2 Bytes [84, D4] {TEST AH, DL}
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[ntoskrnl.exe!RtlInitUnicodeString] A5F35918
IAT atapi.sys[ntoskrnl.exe!swprintf] 0202C766
IAT atapi.sys[ntoskrnl.exe!KeSetEvent] 00388300
IAT atapi.sys[ntoskrnl.exe!IoCreateSymbolicLink] 000080B9
IAT atapi.sys[ntoskrnl.exe!IoGetConfigurationInformation] 047A8D00
IAT atapi.sys[ntoskrnl.exe!IoDeleteSymbolicLink] 0242C766
IAT atapi.sys[ntoskrnl.exe!MmFreeMappingAddress] 0C740200
IAT atapi.sys[ntoskrnl.exe!IoFreeErrorLogEntry] A5F3308B
IAT atapi.sys[ntoskrnl.exe!IoDisconnectInterrupt] 0204C281
IAT atapi.sys[ntoskrnl.exe!MmUnmapIoSpace] 1EEB0000
IAT atapi.sys[ntoskrnl.exe!ObReferenceObjectByPointer] ABF3C033
IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] 02428B66
IAT atapi.sys[ntoskrnl.exe!RtlCompareUnicodeString] 00043D66
IAT atapi.sys[ntoskrnl.exe!IofCallDriver] B70F0876
IAT atapi.sys[ntoskrnl.exe!MmAllocateMappingAddress] 04C083C0
IAT atapi.sys[ntoskrnl.exe!IoAllocateErrorLogEntry] 086A03EB
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] 8BD00358
IAT atapi.sys[ntoskrnl.exe!IoDetachDevice] C7661045
IAT atapi.sys[ntoskrnl.exe!KeWaitForSingleObject] 83000202
IAT atapi.sys[ntoskrnl.exe!KeInitializeEvent] B9000478
IAT atapi.sys[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 00000080
IAT atapi.sys[ntoskrnl.exe!RtlInitAnsiString] 66047A8D
IAT atapi.sys[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 000242C7
IAT atapi.sys[ntoskrnl.exe!IoQueueWorkItem] 8B077402
IAT atapi.sys[ntoskrnl.exe!MmMapIoSpace] A5F30470
IAT atapi.sys[ntoskrnl.exe!IoInvalidateDeviceRelations] C03304EB
IAT atapi.sys[ntoskrnl.exe!IoReportDetectedDevice] 458BABF3
IAT atapi.sys[ntoskrnl.exe!IoReportResourceForDetection] 0C70FF08
IAT atapi.sys[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] D55815FF
IAT atapi.sys[ntoskrnl.exe!NlsMbCodePageTag] 4589F748
IAT atapi.sys[ntoskrnl.exe!PoRequestPowerIrp] 40BE0F08
IAT atapi.sys[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 50006A30
IAT atapi.sys[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] D63815FF
IAT atapi.sys[ntoskrnl.exe!sprintf] F08BF748
IAT atapi.sys[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 03BFF685
IAT atapi.sys[ntoskrnl.exe!ObfDereferenceObject] 75000001
IAT atapi.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] 1045C709
IAT atapi.sys[ntoskrnl.exe!IoInvalidateDeviceState] C000009A
IAT atapi.sys[ntoskrnl.exe!ZwClose] 468B58EB
IAT atapi.sys[ntoskrnl.exe!ObReferenceObjectByHandle] 0C5E8960
IAT atapi.sys[ntoskrnl.exe!ZwCreateDirectoryObject] 500846C7
IAT atapi.sys[ntoskrnl.exe!IoBuildSynchronousFsdRequest] C7000000
IAT atapi.sys[ntoskrnl.exe!PoStartNextPowerIrp] 00BB1846
IAT atapi.sys[ntoskrnl.exe!PoCallDriver] 6083C000
IAT atapi.sys[ntoskrnl.exe!IoCreateDevice] E88300E0
IAT atapi.sys[ntoskrnl.exe!IoAllocateDriverObjectExtension] 0E00C624
IAT atapi.sys[ntoskrnl.exe!RtlQueryRegistryValues] 440840C7
IAT atapi.sys[ntoskrnl.exe!ZwOpenKey] C7000004
IAT atapi.sys[ntoskrnl.exe!RtlFreeUnicodeString] C0000C40
IAT atapi.sys[ntoskrnl.exe!IoStartTimer] 468B0032
IAT atapi.sys[ntoskrnl.exe!KeInitializeTimer] 3C668360
IAT atapi.sys[ntoskrnl.exe!IoInitializeTimer] 24E88300
IAT atapi.sys[ntoskrnl.exe!KeInitializeDpc] 04448B8D
IAT atapi.sys[ntoskrnl.exe!KeInitializeSpinLock] 48890000
IAT atapi.sys[ntoskrnl.exe!IoInitializeIrp] 084D8B20
IAT atapi.sys[ntoskrnl.exe!ZwCreateKey] 40C7D68B
IAT atapi.sys[ntoskrnl.exe!RtlAppendUnicodeStringToString] 48CF821C
IAT atapi.sys[ntoskrnl.exe!RtlIntegerToUnicodeString] 0340C6F7
IAT atapi.sys[ntoskrnl.exe!ZwSetValueKey] F815FFE0
IAT atapi.sys[ntoskrnl.exe!KeInsertQueueDpc] 89F748D4
IAT atapi.sys[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 4D8B107D
IAT atapi.sys[ntoskrnl.exe!IoStartPacket] 5415FF08
IAT atapi.sys[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 83F748D5
IAT atapi.sys[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 7D00107D
IAT atapi.sys[ntoskrnl.exe!IoFreeMdl] 107D3919
IAT atapi.sys[ntoskrnl.exe!MmUnlockPages] F6851474
IAT atapi.sys[ntoskrnl.exe!IoWriteErrorLogEntry] FF560774
IAT atapi.sys[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 48D65415
IAT atapi.sys[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 53006AF7
IAT atapi.sys[ntoskrnl.exe!MmUnmapReservedMapping] D65015FF
IAT atapi.sys[ntoskrnl.exe!KeSynchronizeExecution] 5E5FF748
IAT atapi.sys[ntoskrnl.exe!IoStartNextPacket] 5B10458B
IAT atapi.sys[ntoskrnl.exe!KeBugCheckEx] 0014C25D
IAT atapi.sys[ntoskrnl.exe!KeRemoveDeviceQueue] 85120A37
IAT atapi.sys[ntoskrnl.exe!KeSetTimer] 19BF298C
IAT atapi.sys[ntoskrnl.exe!KeCancelTimer] 09D861EC
IAT atapi.sys[ntoskrnl.exe!_allmul] E92240CC
IAT atapi.sys[ntoskrnl.exe!MmProbeAndLockPages] 3971D85F
IAT atapi.sys[ntoskrnl.exe!_except_handler3] 7A82BFD9
IAT atapi.sys[ntoskrnl.exe!PoSetPowerState] [806F06E0] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoOpenDeviceRegistryKey] [806F68B8] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!RtlWriteRegistryValue] [806F02E8] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!_aulldiv] [806F0278] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!strstr] [806F02D0] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!_strupr] [806F4C78] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!KeQuerySystemTime] [806F4D44] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoWMIRegistrationControl] [806F575E] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!KeTickCount] [806F0720] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [806F68F0] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoDeleteDevice] [806F68C4] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!ExAllocatePoolWithTag] [806F6968] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoAllocateWorkItem] [806F6920] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoAllocateIrp] 00000000
IAT atapi.sys[ntoskrnl.exe!IoAllocateMdl] [F79895C8] \WINDOWS\system32\DRIVERS\WMILIB.SYS (WMILIB WMI support library Dll/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!MmBuildMdlForNonPagedPool] [F7989300] \WINDOWS\system32\DRIVERS\WMILIB.SYS (WMILIB WMI support library Dll/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!MmLockPagableDataSection] 00000000
IAT atapi.sys[ntoskrnl.exe!IoGetDriverObjectExtension] [804D92A7] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!MmUnlockPagableImageSection] [804F0970] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!ExFreePoolWithTag] [804E3996] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoFreeIrp] [805A9C9B] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoFreeWorkItem] [805AA02D] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!InitSafeBootMode] [805C5BA9] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!RtlCompareMemory] [80624749] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!RtlCopyUnicodeString] [8052E14B] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!memmove] [805C8430] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!MmHighestUserAddress] [80508F24] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[HAL.dll!KfAcquireSpinLock] 89000004
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] 144D8B08
IAT atapi.sys[HAL.dll!KeGetCurrentIrql] 8B044889
IAT atapi.sys[HAL.dll!KfRaiseIrql] 4889184D
IAT atapi.sys[HAL.dll!KfLowerIrql] 10458B08
IAT atapi.sys[HAL.dll!HalGetInterruptVector] 654103C7
IAT atapi.sys[HAL.dll!HalTranslateBusAddress] 43C74369
IAT atapi.sys[HAL.dll!KeStallExecutionProcessor] 54535F04
IAT atapi.sys[HAL.dll!KfReleaseSpinLock] 0843C74D
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] 00000444
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] 030C43C7
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] 8D000000
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] C7661053
IAT atapi.sys[WMILIB.SYS!WmiSystemControl] 140242C7
IAT atapi.sys[WMILIB.SYS!WmiCompleteRequest] 8D056A00
IAT \SystemRoot\system32\DRIVERS\asyncmac.sys[NDIS.SYS!NdisMRegisterMiniport] [B11D923E] \??\C:\Program Files\Trend Micro\OfficeScan Client\tm_cfw.sys (Trend Micro Common Firewall Module 1.2/Trend Micro Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

---- EOF - GMER 1.0.15 ----

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,825 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:22 AM

Posted 15 December 2009 - 09:24 AM

gmassott, please start your own topic. You are hijacking another users topic, this is considered rude by forum policy.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 gmassott

gmassott

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 15 December 2009 - 09:50 AM

gmassott, please start your own topic. You are hijacking another users topic, this is considered rude by forum policy.



I apologize, I'm new to this and I thought that I was simply adding on to this topic as I appear to have the same problem. How do I start a new topic?

Greg

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,825 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:22 AM

Posted 15 December 2009 - 09:57 AM

No problem :thumbsup:

You can create a new topic by clicking the New Topic button int he forum where you want to start it.

Or, to start a new topic in the Am I Infected forum, click here

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 gmassott

gmassott

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 15 December 2009 - 10:03 AM

Thank you. I have posted my own topic here:

http://www.bleepingcomputer.com/forums/t/279007/do-have-rootkit-issues/

#10 pasha19

pasha19
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:08:22 PM

Posted 15 December 2009 - 04:11 PM

Elise I just got back from Jury duty and I am proceeding as requested. I have jury duty one more day on Thursday. Results will be posted soon.

#11 pasha19

pasha19
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:08:22 PM

Posted 15 December 2009 - 10:17 PM

The logs from each machine. Machine1 seems to have a new symptom -- it loops 100% CPU on shutdown -- the only way to reboot appears to be the power off button. There were no rootkit messages for either machine and only the c:\ drive was scanned as your instructions did not indicate to any others both machines have multiple fixed partitions per drive and machine 2 has multiple drive units.

MACHINE 1

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-15 21:59:42
Windows 5.1.2600 Service Pack 3
Running: b5c5pe8y.exe; Driver: T:\Temp\axtyipog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF1D0E6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF1D0E574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF1D0EA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF1D0E14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF1D0E64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF1D0E08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF1D0E0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF1D0E76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF1D0E72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF1D0E8AE]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CC8 80504564 4 Bytes JMP 924AF1D0
.text ntkrnlpa.exe!ZwCallbackReturn + 2FA0 8050483C 4 Bytes CALL 41453A11

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\a-squared Free\a2service.exe[1900] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0045495D C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[820] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[820] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----





MACHINE2

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-15 20:01:36
Windows 5.1.2600 Service Pack 3
Running: 9mpj39rg.exe; Driver: T:\dshuman\Temp\pwdyipob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF10E56B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF10E5574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF10E5A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF10E514C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF10E564E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF10E508C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF10E50F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF10E576E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF10E572E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF10E58AE]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\a-squared Free\a2service.exe[1756] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0045495D C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[540] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[540] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,825 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:22 AM

Posted 16 December 2009 - 04:30 AM

Do you experience any redirects while browsing the internet on those machines?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 pasha19

pasha19
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:08:22 PM

Posted 16 December 2009 - 05:16 AM

The machine seems to loop tightly at times locking me out it also seems to be communicating with the internet during those lockouts. However in general my browsers seem to be working correctly excluding the occasional ability to return a window when a refresh generally solves the issue. Could Spybot's immunization or Spywareblaster be affecting what you expect I may be observing in the redirects? After completing the steps for you last night the machine did successfully shutdown on it's own.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,825 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:22 AM

Posted 16 December 2009 - 05:54 AM

First of all, from what I see in your GMER log, the ClamWin detection of atapi.sys seems a false positive to me.

However, I want to confirm I have understood your post correctly and you are NOT having redirects (for example, when you click a google search result, you don't get to another site than the one you click on).

Spybot/spywareblaster can cause a bad site not to load and give a blank page instead, but no bad redirects.

Can you please show me a VirusTotal report of atapi.sys on your system (please rescan if you didn't save the log from earlier VirusTotal scans)?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 pasha19

pasha19
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:08:22 PM

Posted 16 December 2009 - 06:29 AM

I had just rescanned this with JOTTI and no scanner detected anything.


The following is virustotal that you requested.

File atapi.sys received on 2009.12.16 11:25:52 (UTC)
Current status: finished
Result: 1/40 (2.5%)
Compact
Print results
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.16 -
AhnLab-V3 5.0.0.2 2009.12.16 -
AntiVir 7.9.1.108 2009.12.16 -
Antiy-AVL 2.0.3.7 2009.12.16 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.15 -
AVG 8.5.0.427 2009.12.16 -
BitDefender 7.2 2009.12.16 -
CAT-QuickHeal 10.00 2009.12.16 -
ClamAV 0.94.1 2009.12.16 -
Comodo 3262 2009.12.16 -
DrWeb 5.0.0.12182 2009.12.16 -
eSafe 7.0.17.0 2009.12.16 Win32.Rootkit
eTrust-Vet 35.1.7178 2009.12.16 -
F-Prot 4.5.1.85 2009.12.15 -
F-Secure 9.0.15370.0 2009.12.16 -
Fortinet 4.0.14.0 2009.12.16 -
GData 19 2009.12.16 -
Ikarus T3.1.1.78.0 2009.12.16 -
K7AntiVirus 7.10.920 2009.12.14 -
Kaspersky 7.0.0.125 2009.12.16 -
McAfee 5833 2009.12.15 -
McAfee+Artemis 5833 2009.12.15 -
McAfee-GW-Edition 6.8.5 2009.12.16 -
Microsoft 1.5302 2009.12.16 -
NOD32 4692 2009.12.16 -
Norman 6.04.03 2009.12.15 -
nProtect 2009.1.8.0 2009.12.16 -
Panda 10.0.2.2 2009.12.15 -
PCTools 7.0.3.5 2009.12.16 -
Prevx 3.0 2009.12.16 -
Rising 22.26.02.04 2009.12.16 -
Sophos 4.48.0 2009.12.16 -
Sunbelt 3.2.1858.2 2009.12.16 -
Symantec 1.4.4.12 2009.12.16 -
TheHacker 6.5.0.2.094 2009.12.15 -
TrendMicro 9.100.0.1001 2009.12.16 -
VBA32 3.12.12.0 2009.12.16 -
ViRobot 2009.12.16.2092 2009.12.16 -
VirusBuster 5.0.21.0 2009.12.14 -
Additional information
File size: 96512 bytes
MD5...: 9f3a2f5aa6875c72bf062c712cfa2674
SHA1..: a719156e8ad67456556a02c34e762944234e7a44
SHA256: b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9
ssdeep: 1536:MwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1Kb
DD0uu:MQ+N74vkEZIxMohjsimBoDTRMBwFktZu
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x159f7
timedatestamp.....: 0x4802539d (Sun Apr 13 18:40:29 2008)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x97ba 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7
NONPAGE 0x9b80 0x18e8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29
.rdata 0xb480 0xa64 0xa80 4.31 8523651899e28819a14bf9415af25708
.data 0xbf00 0xd94 0xe00 0.45 3575b51634ae7a56f55f1ee0a6213834
PAGESCAN 0xcd00 0x157f 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9
PAGE 0xe280 0x61da 0x6200 6.46 40b83d4d552384e58a03517a98eb4863
INIT 0x14480 0x22be 0x2300 6.47 906462abc478368424ea462d5868d2e3
.rsrc 0x16780 0x3e0 0x400 3.36 8fd2d82e745b289c28bc056d3a0d62ab
.reloc 0x16b80 0xd20 0xd80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, KeCancelTimer, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, IoCreateDevice, RtlCopyUnicodeString, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, RtlDeleteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, PoCallDriver, memmove, MmHighestUserAddress
> HAL.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR
> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: IDE/ATAPI Port Driver
original name: atapi.sys
internal name: atapi.sys
file version.: 5.1.2600.5512 (xpsp.080413-2108)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
packers (Kaspersky): PE_Patch

Edited by pasha19, 16 December 2009 - 06:48 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users