Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Do have Rootkit issues?


  • Please log in to reply
1 reply to this topic

#1 gmassott

gmassott

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 15 December 2009 - 10:00 AM

Hello:

First time user/poster here. I followed the instructions below, and have pasted the results. Any thoughts? Is there a GMER tool to remove any infected files?

Thank you in advance for any help that you can offer.

Greg



QUOTE(elise025 @ Dec 15 2009, 07:36 AM) *
hi pasha19 smile.gif

First of all, I would like to confirm this infection with a rootkit scan.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:

* Main Mirror
This version will download a randomly named file (Recommended)
* Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

* Disconnect from the Internet and close all running programs.
* Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
* Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
* Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


* GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
* If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
* Now click the Scan button. If you see a rootkit warning window, click OK.
* When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
* Click the Copy button and paste the results into your next reply.
* Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-15 08:59:49
Windows 5.1.2600 Service Pack 3
Running: 2i0dyy0k.exe; Driver: C:\DOCUME~1\gmassott\LOCALS~1\Temp\pwddapog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text atapi.sys!ZwSetSystemPowerState + FFE6FCD1 F74823DC 2 Bytes [B0, D4] {MOV AL, 0xd4}
.text atapi.sys!ZwSetSystemPowerState + FFE6FD12 F748241D 2 Bytes [84, D4] {TEST AH, DL}
.text atapi.sys!ZwSetSystemPowerState + FFE6FD2C F7482437 2 Bytes [9C, D4]
.text atapi.sys!ZwSetSystemPowerState + FFE6FD74 F748247F 2 Bytes [C8, DF]
.text atapi.sys!ZwSetSystemPowerState + FFE6FD8B F7482496 2 Bytes [84, D4] {TEST AH, DL}
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[ntoskrnl.exe!RtlInitUnicodeString] A5F35918
IAT atapi.sys[ntoskrnl.exe!swprintf] 0202C766
IAT atapi.sys[ntoskrnl.exe!KeSetEvent] 00388300
IAT atapi.sys[ntoskrnl.exe!IoCreateSymbolicLink] 000080B9
IAT atapi.sys[ntoskrnl.exe!IoGetConfigurationInformation] 047A8D00
IAT atapi.sys[ntoskrnl.exe!IoDeleteSymbolicLink] 0242C766
IAT atapi.sys[ntoskrnl.exe!MmFreeMappingAddress] 0C740200
IAT atapi.sys[ntoskrnl.exe!IoFreeErrorLogEntry] A5F3308B
IAT atapi.sys[ntoskrnl.exe!IoDisconnectInterrupt] 0204C281
IAT atapi.sys[ntoskrnl.exe!MmUnmapIoSpace] 1EEB0000
IAT atapi.sys[ntoskrnl.exe!ObReferenceObjectByPointer] ABF3C033
IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] 02428B66
IAT atapi.sys[ntoskrnl.exe!RtlCompareUnicodeString] 00043D66
IAT atapi.sys[ntoskrnl.exe!IofCallDriver] B70F0876
IAT atapi.sys[ntoskrnl.exe!MmAllocateMappingAddress] 04C083C0
IAT atapi.sys[ntoskrnl.exe!IoAllocateErrorLogEntry] 086A03EB
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] 8BD00358
IAT atapi.sys[ntoskrnl.exe!IoDetachDevice] C7661045
IAT atapi.sys[ntoskrnl.exe!KeWaitForSingleObject] 83000202
IAT atapi.sys[ntoskrnl.exe!KeInitializeEvent] B9000478
IAT atapi.sys[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 00000080
IAT atapi.sys[ntoskrnl.exe!RtlInitAnsiString] 66047A8D
IAT atapi.sys[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 000242C7
IAT atapi.sys[ntoskrnl.exe!IoQueueWorkItem] 8B077402
IAT atapi.sys[ntoskrnl.exe!MmMapIoSpace] A5F30470
IAT atapi.sys[ntoskrnl.exe!IoInvalidateDeviceRelations] C03304EB
IAT atapi.sys[ntoskrnl.exe!IoReportDetectedDevice] 458BABF3
IAT atapi.sys[ntoskrnl.exe!IoReportResourceForDetection] 0C70FF08
IAT atapi.sys[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] D55815FF
IAT atapi.sys[ntoskrnl.exe!NlsMbCodePageTag] 4589F748
IAT atapi.sys[ntoskrnl.exe!PoRequestPowerIrp] 40BE0F08
IAT atapi.sys[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 50006A30
IAT atapi.sys[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] D63815FF
IAT atapi.sys[ntoskrnl.exe!sprintf] F08BF748
IAT atapi.sys[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 03BFF685
IAT atapi.sys[ntoskrnl.exe!ObfDereferenceObject] 75000001
IAT atapi.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] 1045C709
IAT atapi.sys[ntoskrnl.exe!IoInvalidateDeviceState] C000009A
IAT atapi.sys[ntoskrnl.exe!ZwClose] 468B58EB
IAT atapi.sys[ntoskrnl.exe!ObReferenceObjectByHandle] 0C5E8960
IAT atapi.sys[ntoskrnl.exe!ZwCreateDirectoryObject] 500846C7
IAT atapi.sys[ntoskrnl.exe!IoBuildSynchronousFsdRequest] C7000000
IAT atapi.sys[ntoskrnl.exe!PoStartNextPowerIrp] 00BB1846
IAT atapi.sys[ntoskrnl.exe!PoCallDriver] 6083C000
IAT atapi.sys[ntoskrnl.exe!IoCreateDevice] E88300E0
IAT atapi.sys[ntoskrnl.exe!IoAllocateDriverObjectExtension] 0E00C624
IAT atapi.sys[ntoskrnl.exe!RtlQueryRegistryValues] 440840C7
IAT atapi.sys[ntoskrnl.exe!ZwOpenKey] C7000004
IAT atapi.sys[ntoskrnl.exe!RtlFreeUnicodeString] C0000C40
IAT atapi.sys[ntoskrnl.exe!IoStartTimer] 468B0032
IAT atapi.sys[ntoskrnl.exe!KeInitializeTimer] 3C668360
IAT atapi.sys[ntoskrnl.exe!IoInitializeTimer] 24E88300
IAT atapi.sys[ntoskrnl.exe!KeInitializeDpc] 04448B8D
IAT atapi.sys[ntoskrnl.exe!KeInitializeSpinLock] 48890000
IAT atapi.sys[ntoskrnl.exe!IoInitializeIrp] 084D8B20
IAT atapi.sys[ntoskrnl.exe!ZwCreateKey] 40C7D68B
IAT atapi.sys[ntoskrnl.exe!RtlAppendUnicodeStringToString] 48CF821C
IAT atapi.sys[ntoskrnl.exe!RtlIntegerToUnicodeString] 0340C6F7
IAT atapi.sys[ntoskrnl.exe!ZwSetValueKey] F815FFE0
IAT atapi.sys[ntoskrnl.exe!KeInsertQueueDpc] 89F748D4
IAT atapi.sys[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 4D8B107D
IAT atapi.sys[ntoskrnl.exe!IoStartPacket] 5415FF08
IAT atapi.sys[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 83F748D5
IAT atapi.sys[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 7D00107D
IAT atapi.sys[ntoskrnl.exe!IoFreeMdl] 107D3919
IAT atapi.sys[ntoskrnl.exe!MmUnlockPages] F6851474
IAT atapi.sys[ntoskrnl.exe!IoWriteErrorLogEntry] FF560774
IAT atapi.sys[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 48D65415
IAT atapi.sys[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 53006AF7
IAT atapi.sys[ntoskrnl.exe!MmUnmapReservedMapping] D65015FF
IAT atapi.sys[ntoskrnl.exe!KeSynchronizeExecution] 5E5FF748
IAT atapi.sys[ntoskrnl.exe!IoStartNextPacket] 5B10458B
IAT atapi.sys[ntoskrnl.exe!KeBugCheckEx] 0014C25D
IAT atapi.sys[ntoskrnl.exe!KeRemoveDeviceQueue] 85120A37
IAT atapi.sys[ntoskrnl.exe!KeSetTimer] 19BF298C
IAT atapi.sys[ntoskrnl.exe!KeCancelTimer] 09D861EC
IAT atapi.sys[ntoskrnl.exe!_allmul] E92240CC
IAT atapi.sys[ntoskrnl.exe!MmProbeAndLockPages] 3971D85F
IAT atapi.sys[ntoskrnl.exe!_except_handler3] 7A82BFD9
IAT atapi.sys[ntoskrnl.exe!PoSetPowerState] [806F06E0] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoOpenDeviceRegistryKey] [806F68B8] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!RtlWriteRegistryValue] [806F02E8] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!_aulldiv] [806F0278] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!strstr] [806F02D0] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!_strupr] [806F4C78] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!KeQuerySystemTime] [806F4D44] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoWMIRegistrationControl] [806F575E] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!KeTickCount] [806F0720] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [806F68F0] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoDeleteDevice] [806F68C4] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!ExAllocatePoolWithTag] [806F6968] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoAllocateWorkItem] [806F6920] \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoAllocateIrp] 00000000
IAT atapi.sys[ntoskrnl.exe!IoAllocateMdl] [F79895C8] \WINDOWS\system32\DRIVERS\WMILIB.SYS (WMILIB WMI support library Dll/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!MmBuildMdlForNonPagedPool] [F7989300] \WINDOWS\system32\DRIVERS\WMILIB.SYS (WMILIB WMI support library Dll/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!MmLockPagableDataSection] 00000000
IAT atapi.sys[ntoskrnl.exe!IoGetDriverObjectExtension] [804D92A7] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!MmUnlockPagableImageSection] [804F0970] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!ExFreePoolWithTag] [804E3996] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoFreeIrp] [805A9C9B] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!IoFreeWorkItem] [805AA02D] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!InitSafeBootMode] [805C5BA9] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!RtlCompareMemory] [80624749] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!RtlCopyUnicodeString] [8052E14B] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!memmove] [805C8430] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[ntoskrnl.exe!MmHighestUserAddress] [80508F24] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT atapi.sys[HAL.dll!KfAcquireSpinLock] 89000004
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] 144D8B08
IAT atapi.sys[HAL.dll!KeGetCurrentIrql] 8B044889
IAT atapi.sys[HAL.dll!KfRaiseIrql] 4889184D
IAT atapi.sys[HAL.dll!KfLowerIrql] 10458B08
IAT atapi.sys[HAL.dll!HalGetInterruptVector] 654103C7
IAT atapi.sys[HAL.dll!HalTranslateBusAddress] 43C74369
IAT atapi.sys[HAL.dll!KeStallExecutionProcessor] 54535F04
IAT atapi.sys[HAL.dll!KfReleaseSpinLock] 0843C74D
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] 00000444
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] 030C43C7
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] 8D000000
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] C7661053
IAT atapi.sys[WMILIB.SYS!WmiSystemControl] 140242C7
IAT atapi.sys[WMILIB.SYS!WmiCompleteRequest] 8D056A00
IAT \SystemRoot\system32\DRIVERS\asyncmac.sys[NDIS.SYS!NdisMRegisterMiniport] [B11D923E] \??\C:\Program Files\Trend Micro\OfficeScan Client\tm_cfw.sys (Trend Micro Common Firewall Module 1.2/Trend Micro Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 gmassott

gmassott
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 15 December 2009 - 10:36 AM

Never mind, this appears to be a false positive generated by Clamwin.

Thank you anyway.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users