Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible RootKit Problem


  • This topic is locked This topic is locked
12 replies to this topic

#1 yalfers

yalfers

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 04 March 2010 - 09:44 PM

Alright, well the story goes back maybe half a year ago whenever I fell for a false-flash link without putting much thought into what I was doing.

Since then, I haven't been able to view Steam's official website, and there have been numerous small problems on top of this which I've encountered.

I can post a logfile from HijackThis or whatever else is used nowadays, I'm not too sure on the rules as far as doing that so please respond and let me know?

Oh, and I use Panda AV for Notebooks, have Malwarebytes, and ran plenty of rootkit scanners which were suggested throughout forums. Maybe I don't have a rootkit? Just an assumption. Hopefully someone can help me out. It's very annoying.

Edited by Orange Blossom, 04 March 2010 - 09:50 PM.
Move to AII from Vista forum. ~ OB


BC AdBot (Login to Remove)

 


#2 yalfers

yalfers
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 05 March 2010 - 05:41 PM

I see I'm getting replies, and I know it's just a day... I'd just really hate to see this go without any suggestions, ideas. I've tried other forums and it was the same deal. Would rather not have this sit for a while like it has before.

#3 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:23 AM

Posted 06 March 2010 - 02:46 PM

Hi,

We need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, as RootRepeal.txt. Include this report in your next reply, please.
Also, please update MBAM, run a scan and post the results.

If you're already get help at other forums - please let me know.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#4 yalfers

yalfers
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 06 March 2010 - 10:24 PM

Alright thanks, here's the log from MBAM. Came up with nothing. I'll run the RootRepeal soon and post either tonight or tomorrow, it was taking too much time earlier.


Malwarebytes' Anti-Malware 1.44
Database version: 3830
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

3/6/2010 10:22:38 PM
mbam-log-2010-03-06 (22-22-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 290124
Time elapsed: 1 hour(s), 49 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:23 AM

Posted 07 March 2010 - 05:32 AM

Hi,

Please hold off on the RootRepeal - we'll use some other tools.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#6 yalfers

yalfers
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 07 March 2010 - 07:39 PM

Here's the GMER log.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-07 19:03:58
Windows 6.0.6002 Service Pack 2
Running: 1o9rqdwg.exe; Driver: C:\Users\Ralph\AppData\Local\Temp\kglcrpoc.sys


---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!NtOpenProcess 82422B58 7 Bytes [B8, 46, F1, 89, 9E, FF, E0] {MOV EAX, 0x9e89f146; JMP EAX}
? C:\Windows\system32\PavTPK.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\Ati2evxx.exe[1436] WS2_32.dll!closesocket 7742330C 6 Bytes JMP 5F220F5A
.text C:\Windows\system32\Ati2evxx.exe[1436] WS2_32.dll!recv 7742343A 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\Ati2evxx.exe[1436] WS2_32.dll!connect 774240D9 6 Bytes JMP 5F040F5A
.text C:\Windows\system32\Ati2evxx.exe[1436] WS2_32.dll!WSASend 77424496 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\Ati2evxx.exe[1436] WS2_32.dll!send 7742659B 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\Ati2evxx.exe[1436] WS2_32.dll!sendto 774267C5 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\Ati2evxx.exe[1436] WS2_32.dll!WSARecv 77428400 6 Bytes JMP 5F160F5A
.text C:\Windows\system32\Ati2evxx.exe[1436] WS2_32.dll!recvfrom 77428E15 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\Ati2evxx.exe[1436] WS2_32.dll!WSAConnect 7742D7B0 6 Bytes JMP 5F130F5A
.text C:\Windows\system32\Ati2evxx.exe[1436] WS2_32.dll!WSARecvFrom 77438B38 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\Ati2evxx.exe[1436] WS2_32.dll!WSASendTo 7743A474 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1656] WS2_32.dll!closesocket 7742330C 6 Bytes JMP 5F220F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1656] WS2_32.dll!recv 7742343A 6 Bytes JMP 5F070F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1656] WS2_32.dll!connect 774240D9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1656] WS2_32.dll!WSASend 77424496 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1656] WS2_32.dll!send 7742659B 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1656] WS2_32.dll!sendto 774267C5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1656] WS2_32.dll!WSARecv 77428400 6 Bytes JMP 5F160F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1656] WS2_32.dll!recvfrom 77428E15 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1656] WS2_32.dll!WSAConnect 7742D7B0 6 Bytes JMP 5F130F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1656] WS2_32.dll!WSARecvFrom 77438B38 6 Bytes JMP 5F190F5A
.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[1656] WS2_32.dll!WSASendTo 7743A474 6 Bytes JMP 5F1F0F5A
.text C:\Windows\System32\bcmwltry.exe[1720] WS2_32.dll!closesocket 7742330C 6 Bytes JMP 5F220F5A
.text C:\Windows\System32\bcmwltry.exe[1720] WS2_32.dll!recv 7742343A 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\bcmwltry.exe[1720] WS2_32.dll!connect 774240D9 6 Bytes JMP 5F040F5A
.text C:\Windows\System32\bcmwltry.exe[1720] WS2_32.dll!WSASend 77424496 6 Bytes JMP 5F1C0F5A
.text C:\Windows\System32\bcmwltry.exe[1720] WS2_32.dll!send 7742659B 6 Bytes JMP 5F0D0F5A
.text C:\Windows\System32\bcmwltry.exe[1720] WS2_32.dll!sendto 774267C5 6 Bytes JMP 5F100F5A
.text C:\Windows\System32\bcmwltry.exe[1720] WS2_32.dll!WSARecv 77428400 6 Bytes JMP 5F160F5A
.text C:\Windows\System32\bcmwltry.exe[1720] WS2_32.dll!recvfrom 77428E15 6 Bytes JMP 5F0A0F5A
.text C:\Windows\System32\bcmwltry.exe[1720] WS2_32.dll!WSAConnect 7742D7B0 6 Bytes JMP 5F130F5A
.text C:\Windows\System32\bcmwltry.exe[1720] WS2_32.dll!WSARecvFrom 77438B38 6 Bytes JMP 5F190F5A
.text C:\Windows\System32\bcmwltry.exe[1720] WS2_32.dll!WSASendTo 7743A474 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Dell\DellDock\DockLogin.exe[1804] WS2_32.dll!closesocket 7742330C 6 Bytes JMP 5F220F5A
.text C:\Program Files\Dell\DellDock\DockLogin.exe[1804] WS2_32.dll!recv 7742343A 6 Bytes JMP 5F070F5A
.text C:\Program Files\Dell\DellDock\DockLogin.exe[1804] WS2_32.dll!connect 774240D9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Dell\DellDock\DockLogin.exe[1804] WS2_32.dll!WSASend 77424496 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Dell\DellDock\DockLogin.exe[1804] WS2_32.dll!send 7742659B 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Dell\DellDock\DockLogin.exe[1804] WS2_32.dll!sendto 774267C5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Dell\DellDock\DockLogin.exe[1804] WS2_32.dll!WSARecv 77428400 6 Bytes JMP 5F160F5A
.text C:\Program Files\Dell\DellDock\DockLogin.exe[1804] WS2_32.dll!recvfrom 77428E15 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Dell\DellDock\DockLogin.exe[1804] WS2_32.dll!WSAConnect 7742D7B0 6 Bytes JMP 5F130F5A
.text C:\Program Files\Dell\DellDock\DockLogin.exe[1804] WS2_32.dll!WSARecvFrom 77438B38 6 Bytes JMP 5F190F5A
.text C:\Program Files\Dell\DellDock\DockLogin.exe[1804] WS2_32.dll!WSASendTo 7743A474 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2512] WS2_32.dll!closesocket 7742330C 6 Bytes JMP 5F220F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2512] WS2_32.dll!recv 7742343A 6 Bytes JMP 5F070F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2512] WS2_32.dll!connect 774240D9 6 Bytes JMP 5F040F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2512] WS2_32.dll!WSASend 77424496 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2512] WS2_32.dll!send 7742659B 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2512] WS2_32.dll!sendto 774267C5 6 Bytes JMP 5F100F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2512] WS2_32.dll!WSARecv 77428400 6 Bytes JMP 5F160F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2512] WS2_32.dll!recvfrom 77428E15 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2512] WS2_32.dll!WSAConnect 7742D7B0 6 Bytes JMP 5F130F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2512] WS2_32.dll!WSARecvFrom 77438B38 6 Bytes JMP 5F190F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2512] WS2_32.dll!WSASendTo 7743A474 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[2988] WS2_32.dll!closesocket 7742330C 6 Bytes JMP 5F220F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[2988] WS2_32.dll!recv 7742343A 6 Bytes JMP 5F070F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[2988] WS2_32.dll!connect 774240D9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[2988] WS2_32.dll!WSASend 77424496 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[2988] WS2_32.dll!send 7742659B 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[2988] WS2_32.dll!sendto 774267C5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[2988] WS2_32.dll!WSARecv 77428400 6 Bytes JMP 5F160F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[2988] WS2_32.dll!recvfrom 77428E15 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[2988] WS2_32.dll!WSAConnect 7742D7B0 6 Bytes JMP 5F130F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[2988] WS2_32.dll!WSARecvFrom 77438B38 6 Bytes JMP 5F190F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[2988] WS2_32.dll!WSASendTo 7743A474 6 Bytes JMP 5F1F0F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3196] WS2_32.dll!closesocket 7742330C 6 Bytes JMP 5F220F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3196] WS2_32.dll!recv 7742343A 6 Bytes JMP 5F070F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3196] WS2_32.dll!connect 774240D9 6 Bytes JMP 5F040F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3196] WS2_32.dll!WSASend 77424496 6 Bytes JMP 5F1C0F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3196] WS2_32.dll!send 7742659B 6 Bytes JMP 5F0D0F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3196] WS2_32.dll!sendto 774267C5 6 Bytes JMP 5F100F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3196] WS2_32.dll!WSARecv 77428400 6 Bytes JMP 5F160F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3196] WS2_32.dll!recvfrom 77428E15 6 Bytes JMP 5F0A0F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3196] WS2_32.dll!WSAConnect 7742D7B0 6 Bytes JMP 5F130F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3196] WS2_32.dll!WSARecvFrom 77438B38 6 Bytes JMP 5F190F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3196] WS2_32.dll!WSASendTo 7743A474 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3264] WS2_32.dll!closesocket 7742330C 6 Bytes JMP 5F220F5A
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3264] WS2_32.dll!recv 7742343A 6 Bytes JMP 5F070F5A
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3264] WS2_32.dll!connect 774240D9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3264] WS2_32.dll!WSASend 77424496 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3264] WS2_32.dll!send 7742659B 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3264] WS2_32.dll!sendto 774267C5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3264] WS2_32.dll!WSARecv 77428400 6 Bytes JMP 5F160F5A
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3264] WS2_32.dll!recvfrom 77428E15 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3264] WS2_32.dll!WSAConnect 7742D7B0 6 Bytes JMP 5F130F5A
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3264] WS2_32.dll!WSARecvFrom 77438B38 6 Bytes JMP 5F190F5A
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[3264] WS2_32.dll!WSASendTo 7743A474 6 Bytes JMP 5F1F0F5A
.text C:\Windows\Explorer.EXE[3436] WS2_32.dll!closesocket 7742330C 6 Bytes JMP 5F220F5A
.text C:\Windows\Explorer.EXE[3436] WS2_32.dll!recv 7742343A 6 Bytes JMP 5F070F5A
.text C:\Windows\Explorer.EXE[3436] WS2_32.dll!connect 774240D9 6 Bytes JMP 5F040F5A
.text C:\Windows\Explorer.EXE[3436] WS2_32.dll!WSASend 77424496 6 Bytes JMP 5F1C0F5A
.text C:\Windows\Explorer.EXE[3436] WS2_32.dll!send 7742659B 6 Bytes JMP 5F0D0F5A
.text C:\Windows\Explorer.EXE[3436] WS2_32.dll!sendto 774267C5 6 Bytes JMP 5F100F5A
.text C:\Windows\Explorer.EXE[3436] WS2_32.dll!WSARecv 77428400 6 Bytes JMP 5F160F5A
.text C:\Windows\Explorer.EXE[3436] WS2_32.dll!recvfrom 77428E15 6 Bytes JMP 5F0A0F5A
.text C:\Windows\Explorer.EXE[3436] WS2_32.dll!WSAConnect 7742D7B0 6 Bytes JMP 5F130F5A
.text C:\Windows\Explorer.EXE[3436] WS2_32.dll!WSARecvFrom 77438B38 6 Bytes JMP 5F190F5A
.text C:\Windows\Explorer.EXE[3436] WS2_32.dll!WSASendTo 7743A474 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Dell\DellDock\DellDock.exe[3520] WS2_32.dll!closesocket 7742330C 6 Bytes JMP 5F220F5A
.text C:\Program Files\Dell\DellDock\DellDock.exe[3520] WS2_32.dll!recv 7742343A 6 Bytes JMP 5F070F5A
.text C:\Program Files\Dell\DellDock\DellDock.exe[3520] WS2_32.dll!connect 774240D9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Dell\DellDock\DellDock.exe[3520] WS2_32.dll!WSASend 77424496 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Dell\DellDock\DellDock.exe[3520] WS2_32.dll!send 7742659B 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Dell\DellDock\DellDock.exe[3520] WS2_32.dll!sendto 774267C5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Dell\DellDock\DellDock.exe[3520] WS2_32.dll!WSARecv 77428400 6 Bytes JMP 5F160F5A
.text C:\Program Files\Dell\DellDock\DellDock.exe[3520] WS2_32.dll!recvfrom 77428E15 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Dell\DellDock\DellDock.exe[3520] WS2_32.dll!WSAConnect 7742D7B0 6 Bytes JMP 5F130F5A
.text C:\Program Files\Dell\DellDock\DellDock.exe[3520] WS2_32.dll!WSARecvFrom 77438B38 6 Bytes JMP 5F190F5A
.text C:\Program Files\Dell\DellDock\DellDock.exe[3520] WS2_32.dll!WSASendTo 7743A474 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[3580] WS2_32.dll!closesocket 7742330C 6 Bytes JMP 5F220F5A
.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[3580] WS2_32.dll!recv 7742343A 6 Bytes JMP 5F070F5A
.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[3580] WS2_32.dll!connect 774240D9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[3580] WS2_32.dll!WSASend 77424496 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[3580] WS2_32.dll!send 7742659B 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[3580] WS2_32.dll!sendto 774267C5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[3580] WS2_32.dll!WSARecv 77428400 6 Bytes JMP 5F160F5A
.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[3580] WS2_32.dll!recvfrom 77428E15 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[3580] WS2_32.dll!WSAConnect 7742D7B0 6 Bytes JMP 5F130F5A
.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[3580] WS2_32.dll!WSARecvFrom 77438B38 6 Bytes JMP 5F190F5A
.text C:\Program Files\Microsoft LifeCam\MSCamS32.exe[3580] WS2_32.dll!WSASendTo 7743A474 6 Bytes JMP 5F1F0F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3612] WS2_32.dll!closesocket 7742330C 6 Bytes JMP 5F220F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3612] WS2_32.dll!recv 7742343A 6 Bytes JMP 5F070F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3612] WS2_32.dll!connect 774240D9 6 Bytes JMP 5F040F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3612] WS2_32.dll!WSASend 77424496 6 Bytes JMP 5F1C0F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3612] WS2_32.dll!send 7742659B 6 Bytes JMP 5F0D0F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3612] WS2_32.dll!sendto 774267C5 6 Bytes JMP 5F100F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3612] WS2_32.dll!WSARecv 77428400 6 Bytes JMP 5F160F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3612] WS2_32.dll!recvfrom 77428E15 6 Bytes JMP 5F0A0F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3612] WS2_32.dll!WSAConnect 7742D7B0 6 Bytes JMP 5F130F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3612] WS2_32.dll!WSARecvFrom 77438B38 6 Bytes JMP 5F190F5A
.text C:\Windows\SYSTEM32\taskeng.exe[3612] WS2_32.dll!WSASendTo 7743A474 6 Bytes JMP 5F1F0F5A
.text C:\Windows\system32\SearchIndexer.exe[3936] WS2_32.dll!closesocket 7742330C 6 Bytes JMP 5F220F5A
.text C:\Windows\system32\SearchIndexer.exe[3936] WS2_32.dll!recv 7742343A 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\SearchIndexer.exe[3936] WS2_32.dll!connect 774240D9 6 Bytes JMP 5F040F5A
.text C:\Windows\system32\SearchIndexer.exe[3936] WS2_32.dll!WSASend 77424496 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\SearchIndexer.exe[3936] WS2_32.dll!send 7742659B 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\SearchIndexer.exe[3936] WS2_32.dll!sendto 774267C5 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\SearchIndexer.exe[3936] WS2_32.dll!WSARecv 77428400 6 Bytes JMP 5F160F5A
.text C:\Windows\system32\SearchIndexer.exe[3936] WS2_32.dll!recvfrom 77428E15 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\SearchIndexer.exe[3936] WS2_32.dll!WSAConnect 7742D7B0 6 Bytes JMP 5F130F5A
.text C:\Windows\system32\SearchIndexer.exe[3936] WS2_32.dll!WSARecvFrom 77438B38 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\SearchIndexer.exe[3936] WS2_32.dll!WSASendTo 7743A474 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[4060] WS2_32.dll!closesocket 7742330C 6 Bytes JMP 5F220F5A
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[4060] WS2_32.dll!recv 7742343A 6 Bytes JMP 5F070F5A
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[4060] WS2_32.dll!connect 774240D9 6 Bytes JMP 5F040F5A
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[4060] WS2_32.dll!WSASend 77424496 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[4060] WS2_32.dll!send 7742659B 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[4060] WS2_32.dll!sendto 774267C5 6 Bytes JMP 5F100F5A
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[4060] WS2_32.dll!WSARecv 77428400 6 Bytes JMP 5F160F5A
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[4060] WS2_32.dll!recvfrom 77428E15 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[4060] WS2_32.dll!WSAConnect 7742D7B0 6 Bytes JMP 5F130F5A
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[4060] WS2_32.dll!WSARecvFrom 77438B38 6 Bytes JMP 5F190F5A
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[4060] WS2_32.dll!WSASendTo 7743A474 6 Bytes JMP 5F1F0F5A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)
Device \FileSystem\fastfat \FatCdrom ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp NETFLTDI.SYS

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp NETFLTDI.SYS

Device ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)
Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x78 0x95 0x11 0x97 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x78 0x95 0x11 0x97 ...

---- EOF - GMER 1.0.15 ----

#7 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:23 AM

Posted 08 March 2010 - 11:15 AM

Hi,

I have had your log checked over and you've got the all clear on that front.

We'll just try clearing out some old junk files to see if this has any effect.

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Close all open browsers before using, especially FireFox. <-Important!!!
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Notes: On Vista, "Windows Temp" is disabled. To empty Temp, ATF-Cleaner must be Run As Administrator.
The Prefetch cleaning feature has been disabled for Vista Users. Tabs for applications that are not installed are grayed out.


If you're still not happy I'll give you some instructions on what to do next to have your PC analysed a bit deeper.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#8 yalfers

yalfers
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 08 March 2010 - 12:10 PM

Still no dice. I wish I could remember what I had done immediately after the rootkit or whatever it was. I usually am good with at least keeping track of what it was so I could make sure I cleaned it the best possible.

I'd really rather not format my computer, it isn't the biggest problem in the world.

Please let me know whatever else you have in mind though. I'm tired of trying to go through different ideas on my own.

Thanks.

#9 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:23 AM

Posted 08 March 2010 - 12:15 PM

Well the only thing left would be to transfer you over to the malware removal team - they're allowed to use powerful tools to find any sneaky malware (something I'm not allowed to do here).

Would you like to try that? Or are you happy enough to know that there doesn't appear to be anything wrong?

What exactly are the issues at the moment? One site not loading?

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#10 yalfers

yalfers
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 08 March 2010 - 12:25 PM

The site not loading is really the biggest problem. I've checked all my internet settings and reset to default. The same for Firefox. Re-installed, whatever. I was infected, just don't know why exactly I can't view the page. Also have trouble running java applets on some sites. It causes FireFox to freeze or doesn't work properly. Can't see some captcha as well.

Flash re-installed, java re-installed. Both work properly for just about everything.

If you want to transfer me over that would be great I guess. Kind of thinking there's nothing left though.

Thanks for the time, sorry I can't provide much more help in narrowing anything down.

#11 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:23 AM

Posted 08 March 2010 - 12:31 PM

OK.

I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

Please be as descriptive as possible when you start that topic and tell them what you've done, as per the instructions also link to this topic.

Hopefully, with some investigation, your helper might be able to find the cause of the problems. It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal.

There may be a delay in responding to your topic - so please be patient.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#12 yalfers

yalfers
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 08 March 2010 - 01:21 PM

My new post.

Wasn't sure if you wanted me to post that or not, but just so you could see.

Thanks for the help. Hopefully someone will be able to help me figure this bugger out.

#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,808 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:23 AM

Posted 09 March 2010 - 12:44 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/301210/possible-rootkit-infection/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users