Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible trojan/rootkit?


  • Please log in to reply
5 replies to this topic

#1 bunicom

bunicom

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 03 March 2010 - 12:33 PM

I downloaded a "suspicious" file and after I rebooted my PC, Kaspersky warned that InCD was trying to load a hidden driver/rootkit [or something similar], my KIS log shows as "proactive defense/Detected: Hidden Object in application "InCD"
I blocked the application, updated adaware/malware anti/spyware terminator, ran spyware terminator (without rebooting after all the updates, as is suggested) it detected a trojan in my system/filter.sys file and deleted it. I don't recall the specifics, and the log doesn't seem to include any details about it, I bookmarked this though http://www.spywareterminator.com/item/6319/details.html
I then restarted my PC, but as it got to the loading windows screen after 10 seconds it just rebooted itself, and came to the choose safe mode/boot normally menu, I tried safe mode and it just did the same thing, tried "last known good configuration" and it booted fine.

I presume the boot problem was because I never rebooted after updating the antimalware software, or malwarebytes took out something important along with the trojan, but I'm not sure if my PC is clean.
I've run the following and they all come back clean:
Adaware
Malwarebytes anti malware
spyware terminator
rootrepeal

No suspicious activity at the moment, but what are my next steps? Combofix?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:03 PM

Posted 03 March 2010 - 02:58 PM

Is the machine booting normallly now. Please do not run ComboFix on your own. Can we get a scan from GMER
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 bunicom

bunicom
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 04 March 2010 - 06:45 PM

My windows partition is 130GB, but the scan just ran for 12 hours and was not finished, so I stopped it, pressed copy then tried to save but my PC became incredibly slow/unresponsive.
I actually downloaded and ran this program before I even posted, as per this http://www.bleepingcomputer.com/forums/ind...showtopic=34773 post, but it suggests un-checking certain options. I don't recall if it finished, or I stopped it, but I was able to save a log that initial time.


This is my initial log, I'm not sure if it ran it's full course (I had kaspersky running at the time, but not on my second attempt).

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-02 21:22:44
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: H:\DOCUME~1\Richard\LOCALS~1\Temp\ufriiaob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0x9F91DA72]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0x9F91E01E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0x9F91FA82]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0x9F91F438]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0x9F91D1E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0x9F9213E4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0x9F91DE1A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0x9F91D62A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0x9F91D82A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0x9F91F744]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0x9F9218F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0x9F91D940]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0x9F91D9A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0x9F91F5FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0x9F920EA8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0x9F91F294]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0x9F91D34A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0x9F91DC40]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0x9F92140E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0x9F91DB96]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0x9F91DA10]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0x9F91D714]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0x9F91D4F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0x9F921110]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0x9F91CE6A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0x9F92030C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0x9F91CFCC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0x9F9217C0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0x9F91CC68]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0x9F91F924]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0x9F91DF18]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0x9F920FA2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0x9F921438]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0x9F91D3A0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0x9F92151C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0x9F921648]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0x9F920DD4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0x9F91DCEA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0x9F91DD5C]

INT 0x63 ? 89FC1BF8
INT 0x63 ? 89FC1BF8
INT 0x63 ? 89FC1BF8
INT 0x73 ? 8AC0FBF8
INT 0x73 ? 8AC0FBF8
INT 0x73 ? 8AC0FBF8
INT 0x83 ? 8AC12BF8
INT 0x83 ? 89FC1BF8
INT 0x83 ? 8AC12BF8
INT 0x84 ? 89FC1BF8
INT 0xA4 ? 89FC1BF8
INT 0xB4 ? 8AB9FBF8

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AC0D1F8

AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

Device \FileSystem\Fastfat \FatCdrom 88C0D500

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 89FC01F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8ABA01F8
Device \Driver\dmio \Device\DmControl\DmConfig 8ABA01F8
Device \Driver\dmio \Device\DmControl\DmPnP 8ABA01F8
Device \Driver\dmio \Device\DmControl\DmInfo 8ABA01F8
Device \Driver\usbuhci \Device\USBPDO-1 89FC01F8
Device \Driver\usbuhci \Device\USBPDO-2 89FC01F8
Device \Driver\usbehci \Device\USBPDO-3 89F9E1F8
Device \Driver\usbuhci \Device\USBPDO-4 89FC01F8

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbuhci \Device\USBPDO-5 89FC01F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{BB8BCAD4-9E4B-4479-94D0-055182953654} 8977A500
Device \Driver\usbuhci \Device\USBPDO-6 89FC01F8
Device \Driver\PCI_PNP3494 \Device\00000070 sppm.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AC101F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\usbehci \Device\USBPDO-7 89F9E1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AC101F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\Cdrom \Device\CdRom0 89F8E1F8
Device \Driver\iaStor \Device\Ide\iaStor0 [BA5706D0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8AC0F1F8
Device \Driver\atapi \Device\Ide\IdePort0 8AC0F1F8
Device \Driver\atapi \Device\Ide\IdePort1 8AC0F1F8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [BA5706D0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [BA5706D0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume3 8AC101F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\Cdrom \Device\CdRom1 89F8E1F8
Device \Driver\usbstor \Device\000000b1 89869500
Device \Driver\usbstor \Device\000000b3 89869500
Device \Driver\usbstor \Device\000000b4 89869500
Device \Driver\usbstor \Device\000000b5 89869500
Device \Driver\NetBT \Device\NetBt_Wins_Export 8977A500
Device \Driver\usbhub \Device\000000a9 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\NetBT \Device\NetBT_Tcpip_{CF5A9F27-6CB1-4AE4-9E8E-47124BD31984} 8977A500
Device \Driver\usbstor \Device\000000b6 89869500
Device \Driver\NetBT \Device\NetbiosSmb 8977A500
Device \Driver\sptd \Device\3940893494 sppm.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{F9350B8D-BE11-44F5-B385-3BCCC1A65FCC} 8977A500

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbuhci \Device\USBFDO-0 89FC01F8
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-1 89FC01F8
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\000000ac hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-2 89FC01F8
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8975C500
Device \Driver\usbhub \Device\000000ad hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbehci \Device\USBFDO-3 89F9E1F8
Device \Driver\usbehci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8975C500
Device \Driver\usbhub \Device\000000ae hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-4 89FC01F8
Device \Driver\usbuhci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\000000af hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\Ftdisk \Device\FtControl 8AC101F8
Device \Driver\usbuhci \Device\USBFDO-5 89FC01F8
Device \Driver\usbuhci \Device\USBFDO-5 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-6 89FC01F8
Device \Driver\usbuhci \Device\USBFDO-6 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbehci \Device\USBFDO-7 89F9E1F8
Device \Driver\usbehci \Device\USBFDO-7 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\as1079l8 \Device\Scsi\as1079l81Port4Path0Target0Lun0 89F371F8
Device \Driver\as1079l8 \Device\Scsi\as1079l81 89F371F8
Device \Driver\JRAID \Device\Scsi\JRAID1 8AC0E1F8
Device \FileSystem\Fastfat \Fat 88C0D500

AttachedDevice \FileSystem\Fastfat \Fat tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 8986C500

---- Threads - GMER 1.0.15 ----

Thread System [4:1156] 892C0000
Thread System [4:1160] 892C0000
Thread System [4:1164] 8928D7E0
Thread System [4:1168] 8928D7E0
Thread System [4:1176] 8928F7D0
Thread System [4:1180] 8928F7D0
Thread System [4:1184] 8928F7D0
Thread System [4:1188] 8928D7E0
Thread System [4:1940] 89003190

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0009dd50536a (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000a3a51b0ff (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000a3a51b0ff@001963929e6f 0xD2 0xC3 0x26 0x79 ...
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000a3a51b0ff@000e073651c2 0xFA 0x10 0xF3 0xC8 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 H:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x85 0xA0 0xD3 0x9B ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x05 0x7B 0x95 0xAD ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x85 0xB7 0xA1 0xDC ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0009dd50536a (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a3a51b0ff (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a3a51b0ff@001963929e6f 0xD2 0xC3 0x26 0x79 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a3a51b0ff@000e073651c2 0xFA 0x10 0xF3 0xC8 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 H:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x85 0xA0 0xD3 0x9B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x05 0x7B 0x95 0xAD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x85 0xB7 0xA1 0xDC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd50536a
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a51b0ff
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a51b0ff@001963929e6f 0xD2 0xC3 0x26 0x79 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a51b0ff@000e073651c2 0xFA 0x10 0xF3 0xC8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 H:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x85 0xA0 0xD3 0x9B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x05 0x7B 0x95 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x85 0xB7 0xA1 0xDC ...

---- Files - GMER 1.0.15 ----

File H:\Documents and Settings\Richard\Local Settings\Temp\~DF9C3D.tmp 32768 bytes
File H:\Documents and Settings\Richard\Local Settings\Temp\~DF9D5B.tmp 512 bytes
File H:\Documents and Settings\Richard\Local Settings\Temp\~DF9EA3.tmp 16384 bytes
File H:\Documents and Settings\Richard\Local Settings\Temp\~DF9EBC.tmp 512 bytes
File H:\Documents and Settings\Richard\Local Settings\Temp\~DFA030.tmp 32768 bytes
File H:\Documents and Settings\Richard\Local Settings\Temp\~DFA043.tmp 512 bytes
File H:\Documents and Settings\Richard\Local Settings\Temp\~DFA46A.tmp 16384 bytes
File H:\Documents and Settings\Richard\Local Settings\Temp\~DFAFF3.tmp 16384 bytes

---- EOF - GMER 1.0.15 ----

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:03 PM

Posted 04 March 2010 - 08:12 PM

InCD.exe is a software program that is used for CD and DVD writing and burning. To help identify that this is not spyware, always verify the file is in the proper location. This CD and DVD software comes from Ahead Nero.

http://www.bleepingcomputer.com/startups/incd.exe-2178.html

You may want to have Kaspersky exempt it. It sees it as something writing and does not like it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 bunicom

bunicom
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 05 March 2010 - 06:36 AM

The only incd.exe I have is located in the proper location of program files/Ahead/InCD/InCD.exe
It looks clean http://virusscan.jotti.org/en-gb/scanresul...dc7f2a166339ebc

I can only presume that the virus I had was trying to hook into any service it could and picked inCD, but since kaspersky blocked it, it never got itself established?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:03 PM

Posted 05 March 2010 - 11:53 AM

Yes ,I agree that would be it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users