Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit


  • Please log in to reply
5 replies to this topic

#1 belfastsixpack

belfastsixpack

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:12:55 AM

Posted 05 March 2010 - 04:33 PM

A couple weeks ago I was attacked by a backdoor.bot and some random trojans. I cleaned up using SAS and MBAM and everything seemed to come off fine. However, last night MBAM found a rootkit.agent even after SAS showed a clean scan. MBAM seemed to remove the malware upon restart, however, just to be safe, I decided to run a GMER scan and see what it found. However, GMER could not finish and gave me a BSOD several times. Now I'm wondering if my computer is safe and if my computer smarts, although ample, are enough to get me out of this one completely intact. Some supervision would be much appreciated.
Thanks,
BelfastSixpack

BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:55 AM

Posted 06 March 2010 - 02:20 PM

Hi,

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, as RootRepeal.txt. Include this report in your next reply, please.
Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 belfastsixpack

belfastsixpack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:12:55 AM

Posted 06 March 2010 - 02:46 PM

Thanks for the fast response. Logs will follow shortly.

#4 belfastsixpack

belfastsixpack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:12:55 AM

Posted 06 March 2010 - 03:39 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/03/06 14:47
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: PCI_PNP6094
Image Path: \Driver\PCI_PNP6094
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal1.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal1.sys
Address: 0xA8F69000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spph.sys
Image Path: spph.sys
Address: 0xF7409000 Size: 995328 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7cd5996

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7cd598c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7cd599b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7cd59a5

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spph.sys" at address 0xf7422da4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spph.sys" at address 0xf7423132

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7cd59aa

#: 119 Function Name: NtOpenKey
Status: Hooked by "spph.sys" at address 0xf740a0c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7cd5978

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7cd597d

#: 160 Function Name: NtQueryKey
Status: Hooked by "spph.sys" at address 0xf742320a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spph.sys" at address 0xf742308a

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7cd59b4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7cd59af

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7cd59a0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa9f36320

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x86dd71f8 Size: 121

Object: Hidden Code [Driver: aq2xp629Ѕ扏煓㍈ЈЂః瑎て, IRP_MJ_CREATE]
Process: System Address: 0x86b621f8 Size: 121

Object: Hidden Code [Driver: aq2xp629Ѕ扏煓㍈ЈЂః瑎て, IRP_MJ_CLOSE]
Process: System Address: 0x86b621f8 Size: 121

Object: Hidden Code [Driver: aq2xp629Ѕ扏煓㍈ЈЂః瑎て, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b621f8 Size: 121

Object: Hidden Code [Driver: aq2xp629Ѕ扏煓㍈ЈЂః瑎て, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86b621f8 Size: 121

Object: Hidden Code [Driver: aq2xp629Ѕ扏煓㍈ЈЂః瑎て, IRP_MJ_POWER]
Process: System Address: 0x86b621f8 Size: 121

Object: Hidden Code [Driver: aq2xp629Ѕ扏煓㍈ЈЂః瑎て, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86b621f8 Size: 121

Object: Hidden Code [Driver: aq2xp629Ѕ扏煓㍈ЈЂః瑎て, IRP_MJ_PNP]
Process: System Address: 0x86b621f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x86b681f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x86d671f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x86d671f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x86d671f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x86d671f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86d671f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86d671f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86d671f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86d671f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x86d671f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86d671f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x86d671f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x86ad21f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x86ad21f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86ad21f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86ad21f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x86ad21f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86ad21f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x86ad21f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x86dd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x86dd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x86dd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86dd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86dd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86dd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86dd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x86dd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x86dd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86dd91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x86dd91f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x863d71f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x863d71f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863d71f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x863d71f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x863d71f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x863d71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x86ba21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x86ba21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86ba21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86ba21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x86ba21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86ba21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x86ba21f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x85d581f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑁䅭Ҡ쀓؁Change, IRP_MJ_CREATE]
Process: System Address: 0x86a5e1f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑁䅭Ҡ쀓؁Change, IRP_MJ_CLOSE]
Process: System Address: 0x86a5e1f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑁䅭Ҡ쀓؁Change, IRP_MJ_READ]
Process: System Address: 0x86a5e1f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑁䅭Ҡ쀓؁Change, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86a5e1f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑁䅭Ҡ쀓؁Change, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86a5e1f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑁䅭Ҡ쀓؁Change, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86a5e1f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑁䅭Ҡ쀓؁Change, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86a5e1f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑁䅭Ҡ쀓؁Change, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86a5e1f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑁䅭Ҡ쀓؁Change, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86a5e1f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑁䅭Ҡ쀓؁Change, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86a5e1f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑁䅭Ҡ쀓؁Change, IRP_MJ_CLEANUP]
Process: System Address: 0x86a5e1f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑁䅭Ҡ쀓؁Change, IRP_MJ_PNP]
Process: System Address: 0x86a5e1f8 Size: 121

==EOF==

#5 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:55 AM

Posted 06 March 2010 - 04:55 PM

Hi,

I'm going to ask that you run Defogger and then GMER.

Please read this topic: http://www.bleepingcomputer.com/forums/t/293569/why-we-request-you-disable-cd-emulation-when-receiving-malware-removal-advice/

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#6 belfastsixpack

belfastsixpack
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, MA
  • Local time:12:55 AM

Posted 08 March 2010 - 12:49 AM

Don't close it, I'll have scan results soon.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users