Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Possible Rootkit.Agent, Not sure, Internet, speakers disabled

  • This topic is locked This topic is locked
21 replies to this topic

#1 derpderpderp


  • Members
  • 13 posts
  • Local time:06:57 PM

Posted 31 January 2010 - 12:53 AM

Iím really ticked right now. I tried to post twice already, but due to my own stupidity Iíve either closed or overwritten the tabs that I was working on the post with. Iím going to try to keep this as short as possible in case it happens again.

So around 2 weeks ago, I decided to remove this malware that was on my computer for the longest time, redirecting my search results. Malwarebytes didnít turn up anything, so I decided to get NOD32, and when I ran a scan with it, it detected a bunch of items and deleted them. However, a bit later than that tons of pop-up ads started to appear and some of them I couldnít even exit. Task manager was also disabled by the admin, no doubt the work of malware. I restart the computer, and whoop de ****ing doo, thereís a BSOD at the xp loading screen so I canít even use windows. Safe mode doesnít work either, I get a BSOD when that tries to load as well.

For about a week, I go about wankin around with my computer before it starts working again. I install a second copy of xp by accident when trying to repair xp, and I use that second copy to gain access to my files and to access a certain .sys file in system32/drivers which I thought was denying me from accessing safe mode. I delete that file, and for some reason it let me access my broken version of xp, but not safe mode.

I load up my broken version of xp, and not surprisingly, itís completely infested with malware. There are tons of pop-ups. Task manager and Regedit are disabled by the admin, and display a fake warning message telling me my computer is infected whenever I tried to use them. I also had a fake antivirus goading me to download the full version of it.
I re-enable task manager through user options, but the warning message still deletes it whenever I use it. I work around it by leaving the message on while starting another task manager. I delete all the unfamiliar processes, and then run rkill, then scan with malwarebytes. Thereís like 50 results that show up. I remove them then restart my computer, but thereís no user interface for about 10 minutes at startup. The taskbar is also now the windows 2000 theme. Internet doesn't work now. In my network places, there's not even a connection there anymore. My speakers don't work anymore either - there is 'no audio device installed'.

I run rkill again, and the taskbar returns to normal. Strange. Then I do a second scan of malwarebytes, and it turns out there is still malware on my computer. But I notice that one in particular is there from last time Ė Rootkit.Agent. It manifests itself in the system32/drivers folder as hxbbsgx.sys, and I delete manually by switching to my second version of xp since it was in use in my first version. However, that doesnít fix things since I run a third scan on my infected version of xp, and Rootkit.Agent is still there, but manifested somewhere else.

I have a feeling that if I keep trying to delete it by myself, itís pretty much going to be a wild goose chase. So I come here, since when looking for solutions, I found many here and you guys appear as though you know your stuff.

Hereís my DDS Log:
DDS (Ver_09-12-01.01) - NTFSx86
Run by AWESOMEMINISTRATOR at 23:14:26.67 on Sat 01/30/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1577 [GMT -5:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\iPod\bin\iPodService.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
TB: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\styler\tb\StylerTB.dll
EB: {CAFB2180-BA09-11DC-95FF-0800200C9A66} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RGSC] c:\program files\rockstar games\rockstar games social club\RGSCLauncher.exe /silent
mRun: [WGA Watchdog] c:\windows\system32\WGAwatchLauncher.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\awesom~1\startm~1\programs\startup\Styler.lnk -
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: serial.alcohol-soft.com
Hosts: auto.search.msn.com
Hosts: auto.search.msn.es

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\awesom~1\applic~1\mozilla\firefox\profiles\20noqpkb.default\
FF - prefs.js: browser.startup.homepage - hxxp://ca.msn.com/default_im.aspx
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: XUL Cache: No Registry Reference - c:\program files\mozilla firefox\extensions\{4E861D0A-4094-485A-A906-999DABA6CF1B}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-2-20 94360]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-1-30 18816]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
S0 hxbbsgx;hxbbsgx; [x]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2004-8-4 3584]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-11 25832]
S3 jatmlano;jatmlano;\??\c:\docume~1\awesom~1\locals~1\temp\jatmlano.sys --> c:\docume~1\awesom~1\locals~1\temp\jatmlano.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1a.tmp --> c:\windows\system32\1A.tmp [?]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S4 Logical Disk Manager (dmserver) ;Logical Disk Manager (dmserver) ;c:\program files\tintinyproxyy\tinyproxy.exe --> c:\program files\tintinyproxyy\tinyproxy.exe [?]

=============== Created Last 30 ================

2010-01-30 23:28:57 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-01-30 20:36:29 0 d-----w- c:\program files\Sophos
2010-01-30 20:24:19 98816 ----a-w- c:\windows\sed.exe
2010-01-30 20:24:19 77312 ----a-w- c:\windows\MBR.exe
2010-01-30 20:24:19 261632 ----a-w- c:\windows\PEV.exe
2010-01-30 20:24:19 161792 ----a-w- c:\windows\SWREG.exe
2010-01-30 20:24:05 0 d-s---w- C:\ComboFix
2010-01-30 17:23:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-30 17:23:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-30 17:23:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-30 04:21:03 8 --sha-r- c:\documents and settings\awesomeministrator\ntuser.pol
2010-01-30 04:17:52 0 d--h--w- c:\windows\system32\GroupPolicy
2010-01-30 00:09:00 0 ----a-w- c:\windows\system32\15724.exe
2010-01-29 05:32:49 0 ----a-w- c:\windows\system32\19169.exe
2010-01-29 05:12:32 0 ----a-w- c:\windows\system32\26500.exe
2010-01-29 04:52:30 0 d-----w- c:\program files\TrendMicro
2010-01-29 04:52:15 0 ----a-w- c:\windows\system32\6334.exe
2010-01-29 04:31:57 0 ----a-w- c:\windows\system32\18467.exe
2010-01-29 04:11:07 28409 ----a-w- c:\windows\system32\O9I033SIX1.dat
2010-01-26 20:09:19 0 d-----w- C:\WINDOWS.0
2010-01-21 01:15:52 46 ----a-w- C:\p2hhr.bat
2010-01-21 01:15:47 0 d-sh--w- c:\docume~1\awesom~1\applic~1\SystemProc
2010-01-21 01:15:39 1 ----a-w- C:\s
2010-01-16 16:10:33 0 d-----w- c:\program files\iPod
2010-01-16 16:10:27 0 d-----w- c:\program files\iTunes
2010-01-16 16:10:27 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-16 02:45:24 0 d-----w- C:\Downloads
2010-01-16 01:30:04 0 d-----w- c:\program files\vSoft

==================== Find3M ====================

2009-10-14 22:25:25 573304 ----a-w- c:\program files\MEALS ON WHEELS1.wav
2008-10-31 00:35:47 18428 ----a-w- c:\program files\common files\zogucugole.pif
2008-10-31 00:35:47 12989 ----a-w- c:\program files\common files\nipihe.reg
2008-10-31 00:35:47 11260 ----a-w- c:\program files\common files\sopa.ban
2008-10-31 00:35:47 10283 ----a-w- c:\program files\common files\wijol.exe
2002-09-11 14:26:52 63730 ----a-w- c:\program files\viewsonicinstruct_xp.pdf

============= FINISH: 23:15:43.18 ===============

My RootRepeal:
ROOTREPEAL © AD, 2007-2009
Scan Start Time: 2010/01/30 23:23
Program Version: Version
Windows Version: Windows XP SP3

Name: qedkq.sys
Image Path: qedkq.sys
Address: 0xB80A8000 Size: 54016 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB82B8000 Size: 49152 File Visible: No Signed: -
Status: -

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x89189630

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x89188a60

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x89188e80

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89189460

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x89189280

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x89188c90

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x891890b0

Stealth Objects
Object: Hidden Code [ETHREAD: 0x8a5a1af0]
Process: System Address: 0x89187790 Size: 1000


Attached Files

Edited by derpderpderp, 31 January 2010 - 12:56 AM.

BC AdBot (Login to Remove)


#2 derpderpderp

  • Topic Starter

  • Members
  • 13 posts
  • Local time:06:57 PM

Posted 31 January 2010 - 12:23 PM

oh and I missed a quick detail, the malware also messed wih my Winsock, whenever I try to start uTorrent it gives this message:

WSA Startup() failed, or you have the incorrect version of Winsock installed.

Windows Messenger also cannot start.

I also have a hunch that there are a bunch of hidden processes, since in task manager it says there are 1,470 megs free when there should be actually 1,850 free.



While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to more than a week, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 03 February 2010 - 12:31 PM.

#3 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:57 AM

Posted 07 February 2010 - 11:17 AM


My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.

Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log



#4 derpderpderp

  • Topic Starter

  • Members
  • 13 posts
  • Local time:06:57 PM

Posted 07 February 2010 - 10:13 PM

okay, RSIT didn't work, it gave this error message while dumping the registry:

line -1:

error: subscript used with non-array variable

but GMER did work, and here's the log:

GMER - http://www.gmer.net
Rootkit scan 2010-02-07 21:57:30
Windows 5.1.2600 Service Pack 3
Running: oedpgm74.exe; Driver: C:\DOCUME~1\AWESOM~1\LOCALS~1\Temp\kxroyuoc.sys

---- System - GMER 1.0.15 ----

SSDT 890EB630 ZwAssignProcessToJobObject
SSDT 890EAA60 ZwOpenProcess
SSDT 890EAE80 ZwOpenThread
SSDT 890EB460 ZwSuspendProcess
SSDT 890EB280 ZwSuspendThread
SSDT 890EAC90 ZwTerminateProcess
SSDT 890EB0B0 ZwTerminateThread

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A696856

---- Threads - GMER 1.0.15 ----

Thread System [4:396] 890E9790

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9C 0xEA 0xE9 0xBE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD9 0xD3 0xB8 0x87 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF0 0xB2 0xE0 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE6 0x01 0x39 0x23 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1C 0x5D 0x3E 0x6D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9C 0xEA 0xE9 0xBE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD9 0xD3 0xB8 0x87 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF0 0xB2 0xE0 0xAD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE6 0x01 0x39 0x23 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA5 0xAB 0xF3 0x9B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9C 0xEA 0xE9 0xBE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD9 0xD3 0xB8 0x87 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF0 0xB2 0xE0 0xAD ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE6 0x01 0x39 0x23 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1C 0x5D 0x3E 0x6D ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#5 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:57 AM

Posted 08 February 2010 - 09:35 AM

Hi derpderpderp,

Your logs show that you have a rootkit infection so you should be aware of the following information

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:


#6 derpderpderp

  • Topic Starter

  • Members
  • 13 posts
  • Local time:06:57 PM

Posted 08 February 2010 - 07:32 PM

okay, as of last night my computer is broken AGAIN, I can't even boot it up. Instead of BSODing at the windows loading screen, it just freezes now. How do I fix that? I have a second copy of XP installed on my computer, can I run combofix on that? I can't access safe mode either. Also, what is the trojan/rootkit responsible and the associated files? just curious. Thanks.

#7 derpderpderp

  • Topic Starter

  • Members
  • 13 posts
  • Local time:06:57 PM

Posted 08 February 2010 - 07:50 PM

okay, nevermind: it gives a BSOD, and this is it:

A problem has been detected and windows has been shut down to prevent damage to your computer.


If problems continue, disable or remove andy newly installed hardware software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable componenets, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Info:

***STOP: 0x000000ED (0x8A773590, 0x80000003, 0x00000000, 0x00000000)

#8 derpderpderp

  • Topic Starter

  • Members
  • 13 posts
  • Local time:06:57 PM

Posted 08 February 2010 - 07:52 PM

also, what course of action would you recommend? Something tells me this might take a while to remove. most of my files are music, movies or documents.

#9 derpderpderp

  • Topic Starter

  • Members
  • 13 posts
  • Local time:06:57 PM

Posted 08 February 2010 - 10:51 PM

okay, so I ran combofix from the second install of xp:

This is actually the log of the second scan I ran. the first scan's log was overwritten, I'm not sure if that matters or not.

ComboFix 10-02-08.06 - Jason 02/08/2010 22:32:43.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1787 [GMT -8:00]
Running from: E:\dfgvdfdfbvdf.exe

((((((((((((((((((((((((( Files Created from 2010-01-09 to 2010-02-09 )))))))))))))))))))))))))))))))

2010-02-09 06:03 . 2010-02-09 06:11 -------- d-----w- C:\wef
2010-02-08 02:53 . 2010-02-08 02:53 -------- d-----w- C:\rsit
2010-01-31 06:07 . 2008-04-14 08:15 26368 -c--a-w- c:\windows.0\system32\dllcache\usbstor.sys
2010-01-30 20:36 . 2010-01-30 20:36 -------- d-----w- c:\program files\Sophos
2010-01-30 17:23 . 2010-01-30 17:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-29 04:52 . 2010-01-29 04:52 -------- d-----w- c:\program files\TrendMicro
2010-01-27 06:06 . 2010-01-27 06:06 12528 ----a-w- c:\documents and settings\Jason\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2010-02-08 08:21 . 2008-01-17 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-08 03:08 . 2008-12-27 19:05 -------- d-----w- c:\program files\Trend Micro
2010-01-28 05:02 . 2010-01-27 04:26 86339 ----a-w- c:\windows.0\pchealth\helpctr\OfflineCache\index.dat
2010-01-27 04:24 . 2010-01-27 04:24 21640 ----a-w- c:\windows.0\system32\emptyregdb.dat
2010-01-16 16:30 . 2010-01-16 16:30 -------- d-----w- c:\program files\7-Zip
2010-01-16 16:11 . 2010-01-16 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-16 16:11 . 2010-01-16 16:10 -------- d-----w- c:\program files\iTunes
2010-01-16 16:10 . 2010-01-16 16:10 -------- d-----w- c:\program files\iPod
2010-01-16 16:10 . 2008-03-10 14:40 -------- d-----w- c:\program files\Common Files\Apple
2010-01-16 16:09 . 2010-01-16 16:08 -------- d-----w- c:\program files\QuickTime
2010-01-16 16:05 . 2010-01-16 16:05 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes\SetupAdmin.exe
2010-01-16 16:04 . 2008-08-05 01:48 -------- d-----w- c:\program files\Safari
2010-01-16 16:02 . 2010-01-16 16:02 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari\SetupAdmin.exe
2010-01-16 01:30 . 2010-01-16 01:30 -------- d-----w- c:\program files\vSoft
2010-01-11 06:56 . 2008-05-04 04:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-10 02:26 . 2007-01-14 03:39 -------- d-----w- c:\program files\Steam
2009-12-12 05:58 . 2009-12-12 05:58 -------- d-----w- c:\documents and settings\All Users\Application Data\BioWare
2009-12-12 05:54 . 2009-12-11 23:52 -------- d-----w- c:\program files\Dragon Age
2009-12-12 00:14 . 2008-12-28 02:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-12 00:14 . 2008-06-18 23:19 -------- d-----w- c:\program files\Common Files\BioWare
2009-10-14 22:25 . 2009-10-14 22:25 573304 ----a-w- c:\program files\MEALS ON WHEELS1.wav
2008-10-31 00:35 . 2008-10-31 00:35 18428 ----a-w- c:\program files\Common Files\zogucugole.pif
2008-10-31 00:35 . 2008-10-31 00:35 11260 ----a-w- c:\program files\Common Files\sopa.ban
2008-10-31 00:35 . 2008-10-31 00:35 10283 ----a-w- c:\program files\Common Files\wijol.exe
2002-09-11 14:26 . 2007-01-13 19:43 63730 ----a-w- c:\program files\viewsonicinstruct_xp.pdf

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-08 22:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Completion time: 2010-02-08 22:40:55
ComboFix-quarantined-files.txt 2010-02-09 06:40
ComboFix2.txt 2010-02-09 06:11

Pre-Run: 15,701,004,288 bytes free
Post-Run: 15,672,840,192 bytes free

- - End Of File - - F64646E8C10623483263A15646DBA5E3

and if this is of any use, this is the mbr file:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba711852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

#10 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:57 AM

Posted 09 February 2010 - 11:00 AM

Please don't just go ahead and post logs I haven't requested and if you ask me a question then wait for my reply before proceeding.

Can you tell me if the MBR log you posted is from the working OS or the one that is getting the BSOD and tell me what drive letter the bad
OS is on.


#11 derpderpderp

  • Topic Starter

  • Members
  • 13 posts
  • Local time:06:57 PM

Posted 09 February 2010 - 05:03 PM

Sorry about that. it's from the working OS. I can't boot up the bad one, and they are both on C:.

#12 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:57 AM

Posted 09 February 2010 - 06:04 PM

So you have 2 OS installed on the same drive and partition, is their any reason for this, do you really need them both?


#13 derpderpderp

  • Topic Starter

  • Members
  • 13 posts
  • Local time:06:57 PM

Posted 09 February 2010 - 07:37 PM

I installed the second install accidentally when I was trying to do a repair install, no I don't really need it but it's handy for accessing my system files when my other copy of xp doesn't work, like right now. I fixed a startup BSOD on my broken install by accessing its system files with my second install of xp.

Edited by derpderpderp, 09 February 2010 - 07:38 PM.

#14 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:57 AM

Posted 09 February 2010 - 07:55 PM

You would be much better partitioning the drive and installing on a different partition if you wanted two OS.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


#15 derpderpderp

  • Topic Starter

  • Members
  • 13 posts
  • Local time:06:57 PM

Posted 09 February 2010 - 08:13 PM

here is the log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:06 on 09/02/2010 by Jason (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.*"
C:\cmdcons\atapi.sy_ -ra--- 50028 bytes [06:02 09/02/2010] [23:10 13/04/2008] C32657CE5311711A42CD6ECBC728FB0B
C:\WINDOWS.0\ERDNT\cache\atapi.sys --a--- 96512 bytes [06:11 09/02/2010] [23:10 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS.0\system32\drivers\atapi.sys ------ 96512 bytes [23:10 13/04/2008] [23:10 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [01:15 23/12/2008] [12:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [01:22 23/12/2008] [05:10 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys --a--- 96512 bytes [02:38 07/09/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [12:00 04/08/2004] [05:10 14/04/2008] C0D39C2D5FBC9B3445F2F16B0B0373E6

-=End Of File=-

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users