Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Windows Insider RS5 Build 17650 Brings Firewall Rules for WSL

Featured Deal: Get 92% off a Microsoft Azure Mastery Bundle Deal

Rootkits + trojans

Started by kb11 , Mar 17 2010 01:31 AM

This topic is locked

18 replies to this topic

#1 kb11

Members
26 posts
OFFLINE

Local time:09:27 AM

Posted 17 March 2010 - 01:31 AM

hello,
attaching first. not writing anything, for fear of comp crash. would write in a reply to this post, from another comp

dds report looks like this:

MZ ÿÿ ¸ @ € º ´ Í!¸LÍ!This program cannot be run in DOS mode.$ PE L +I à 2 n h @ 0 ² Ô ´ .code è PEC2FO à.rsrc ê à ¸¨$R Pdÿ5 d‰% 3À‰PECompact2 VÒËK¬ÇÑžç†ì¸oTNül©TS`M6lŠÕ[ÐåNP‘áHˆr_0)a´ãþòØ¾,íf½úÙ)|‚ü®BÅ£˜˜¨¥§3]Ë£oKj„v›©hÕ¸ª-–…PÛØw4l4’¼òåâ`ªµ¾å \¤¹3ïnféwp‰"ns„Åe€Xc˜åÝDgòñÏ¨«ýÄ|¢0 O ü·E öôÄ J\#2\üÇçbNê\Mk(Õ^EK¥] m
Ã<Ð_À@ƒt½•‰HŽÓw,KÚÄíØ{²³Y®wCÈd•Aýœ§Ej]…vWªbÚ°Í.çÏ“cF §(C&{Ÿ™;Ùçy U2ø)[)g*æ®u¼¬ÅŠ¡0«äœ¬Mõ•å‘Žsÿ¼
PKÚŸ}C’b{/¬p=øžÏ_¯ýI«ÐÅÑ¶_÷º²À'Ô Ö`ãVS™JYg«ØÇÄ¹¡¹ç|_KwžÈD;6àÐ˜•¢ož†OªñGÞSÌ·c7äK €ÓgB-‘6XfvâôžÑ-§pÄÇ¼šŽš]úPméÚUuó ¤;âê’Çïÿ&Æ²oÉÉYú-00
+—=ïC<%
PÀ@3²©8Õê:sm·•ÙØ÷—¼X¿ƒ—•Ý:ºTï} ØÖ† Ø‘Gþ›ÇR¨¦>mý£‘¯§-Æ.Ð:¤ºäùåä§2 +]>hÌD¹Ò …t;èaPMòUN·2=~xlûð@µ°]êl³æz¼ŒMô›X¸•x;æá»c$ã÷¯'iNVmŽ=U_
Í‰ä({|¼/è$Ø×ÉÍOrI…?k"<ß5]›””0»gNù±Øžü@ÏÔß/‹¾+2jJÚn”é
ƒÓî-~¾¯â Z:í-vQUU5wð_WÔµ±lŠôw"íÇtUð”ÒÅ~Ý6 ¨Úˆ%·S]³XÀÑ‘‚al(¾åeìTd¬k»X‹Þ>‘¿‹D™Lì‚@Ñ¸ˆaYNÛ‹!¡'¾nú*ÑÁªFhaÆT~À·/¸EÆ±ú!âÉ*¡ Z´$}”Â«0N:²·º™+0o%ÎÇCM¾EZþÉÄŒØ0ÝFØÏ°OhÏ‘¬¾ûÀ2[´u5ÅÕÈN¼·5ñD´¸hVR»k¢§*£ò&-›ìd’ÍMyÙ¯ƒI±²« ‚‹>"io_o1DÇ¢øˆ^.n+(!ó³2ì:dÆ–5V“Øíl
¤Ò‡H%‹kÄQ«ˆV©³®+ãŠkåtÿ§I¹élK²ÁX÷• V$éÿBËa$Mmx"@ðÖÈðXËÓ¨\7ˆ!†3‘a0íesÌž©{fzóûÅ’Gž#}±ãŽþÏöŒwÚõµíFêVTãüU1ÇV¿KÇŠd¬…_]ƒ–Ø»°ñAÏÖp¢|Ý7¨ìô“Šy‹sX$—„û°«—õÞ%ngúåÙ€:Î tF0fZïB¬´¶ ÁÒ|hËÛ%ˆfžAø¢hwÙ&-BÙ3Fƒt¨ž¢~ï9B2uØKÔÍa>ñ™u©’J}PoJŽ‰(ÞˆöŒ6)˜š’”.™’w£Hæh!–¿jM…iý×jœ¦ƒQ:Šc:1çï žWŸ]ê×9Q[CÃâ%XùÁ8^÷Æz2vlòmk›'iG¹`‰“ŸÏ°ŸÃÇË(ÞÈròNÛ„»Û(Ë¼òÃØúlSèÆv§òux×ûyóÐú‚«£[{8vDGµ\µˆAÉDwÞ2X¦ù¬wS`d¸{Ð@noð(wÓ@2,ù:ÍˆÑ³“âú°¶ =oQ6+…j{7š¤“á.¬dxL
Åaèþ:˜ØÝv™š—'vã‘Aé.q°%iŸ¯¹—8ÐaÙvZÑ\‡‹G¨¾¦>ZW±”¥ŸÖŒ{èuùë¼xpÞÐÛï09\ð@Fð÷\
;®ê[@eáem² â¨´0&ër˜Z%aÄ#â®'y7º†¼Ï$2< ÿO©Ý,Íîa#ÃZuEnFî
,±ÒOéÅT‹¶4K¥d–ãóÑ'{‚ôõÃ80Œbô‚Í O•ÜW DËô¥øMgAìJfƒ0`>Ó(ýd»év¤n [Íd?QyT¾é¬
ÓIjÙí¨wn•ÁnšþÎÞZˆÍ…rmú‡¹3Ð<Æ“BJ½žŸ%[*3€ë°+W=²t~J.gCËU¨"~WÈ†²âûBxP¶šfgO±:þåUN¹èÝã|ˆÃÛÁR§iˆô.?Ë_ÐÑÇJå—óá±‡Å/{M_ÿçÅ:z§Yºª6¨Æ E
ž"0k^äÎœ'‰Ž’_€ª
q
XÏRJÂÆ aH— !dHS
`ÝL¶—˜\á¤W‚„8„LÔSd&Cî``ÃâÁCÀLe]`»Í¨Í
Ã ×JÌ9À¨¥ˆíw©ÒJ!˜'S—›!¢ p†à5$ì™D‡Xt.oŸè—ãt¿kï§¯T€ÿ¬$6¿§m’‹^&£L2—¤‘£èþPü-ªtcqÖFU~´Q >5Xh.Ó›—=–ÚQÚ?+¦ò=Vp‚kŒz¿OµU/4ËfŽˆ^ÁklFjdäÞ½C€´?â¼%â’æ´¯N!Z2y—ZÎ^q\<\Q®MiÚq]Ó4zû?âŒÃ¾˜ØT¹ÄˆÇõuÐ·ËUjò>'ï~wbýGò†·–Mª¬Žø›=#›B'AÝs»ÔÏÃ@ÿVîý?ÔVÖ-æ7á×Çqai¿…sgßóCÞ)]4{O§S[ÜK…ZÔi$\û‚ÏxÍ¥·žÎ’ŠÔ{â1‰öæêqµ@Qr:… ê«99Kx†^kØ?¤2ÀuK¾ÏñyÓ|w]†ªÝ
qløß¼¯/wb²
FÎÎ:¿ô®<õ²!WÄI‡Þq2©¡çÛK[)@7EOªÔ[ÃâsœâŸ$îÍÀÕÿ!Dô°ŸkhF+jÆ$Ð€‘“/òèÆãS¬dMpU´Œl"¿Ìü7ÜªTqA%¤,c0Ú
5ýíaw¡×V~.ýÇ‹‡ŸËêWYA9²a0°
¶|«9\Hµ{t´uè*GÕ¶ÔŒì/³´ñ#Œ©(ÒìZš€÷ G/WB‰º úSuÑVCQÛ "„½ÞŽéT?-¨ü-yã%´g?äžÀxÂ™:¡›TôÝe——¾ÀD²ÞÑPŽïa §yqm90èRC±ÁÛ‡ò`˜w¦äYZ³€»ëéÿŽktA;‘CÈÏÏÃ¬+ú÷Øz‘|{·°Wˆ/ÈÖµ8nÖ`ßë!¥xŠþÕ.Œ[¶vï\’È«A)²ç ß=Á9Ð'¹¹,¡÷†-Áƒ¼î÷”Ôär‰‡ bÐ·9=ÏRv«!@ íîv.71Fn—Fã‡Z®Ñõ$ú’É³!Óûv9_t‘ ¼fÝmí*âf¡BÇI&¡E»vK$½…‡$¹
›?žòÞ[é’%ü}Å÷y@½BÉ·Iãò÷¡b~ìBì=ÞÑØ& VÃÃß£~!¹dª>5A
4è¸Xw][èF3Îü¬üË{!øIRš{´pqÞð(~Z«‘pÉ÷è5¬HÝ1örl•1£ê‰ô^GÓäÃ§M[ƒƒ‰¸Ý]

T[—å+aù)^‹Îwâ‹æLWZp>&f/6Y
WÉ“·Z™_¦Éÿ¦ÅRmuø”ðI4&Ço÷~¸Â€ëQ,ƒ“#]8ÅóçÕYÀ©û}ìdêÞF½Í?ë÷¯~œ»^½ØŠé…^-y6)lˆÅMó:ŠýÜ»œ‡m ½Šÿ/BçÞ·ÛÙ-_§ò†‚1mÚdÑ=Qu4¯©«_fxAî€w;GŸš/ñÒˆ¼;ðt[êS>ÛÂËƒùœÛê[Ö}èõZÏ6$ŽÚÿª'i|¾MÂ6ÃjŽMãÐ‘ä©V~it÷þ}$6o æBvãû¡'ìñ=V[˜€êe+ú¥ª7f›“I…Z.áwHåx_: Qó
‘î|.ÉÚØ·-æ[QI'jèX“•_KàµµB\ÖÅQ½Š¾Ô'7,$äÐäXH8—]Œ×ZO¥Ö2abìs‘Rzåè>ûØÞß?Ãñxº_×€ ËÈw¹Ä¡cšE3_Âƒ¨GÕ‘
ºH¤…¿qÖ Õ»“*h3GÝŸw\¯êè½Kl?`–4‘b=k¸hÜ|’Iûs‰éŠÂ¾|ÍþU®Ç‹ñ¾\–æW4f
^‚¼ F
&XÃ[\#H¶_×ß9õ\1‘h^ôþƒª?Ýß €Ûþ{«–½C§Ýv ƒHyh“ô£4yD¥î¼£ÝÅeåc]o#+Ôf‹m*¯\ë‰¶I0P&²Œœ°LÃ—Cp!Ýüš¶Ðé×ÚÆÚó™‰ÎØ M¶ û¿~MWQ9[LŠ Zÿ/¶‡ØN#÷¾cÚ3ò`¾Q¿×>Ä§®³:4e¿¨ç©$zqû–Íø¤C‡
°=î4S½ÍªKZh€}¡î
ÎH™~":Äñ ÍP»1X³X?c¶b¥¨…–Ä’‰l_ý½ëHÞ½)¸ýÍ÷[bA¹7wn>l˜k™´þNOÆ¼—2™›‚®Ï\m|Ñžš@.B±sCÇ]øÚØØR†ÕQ3x {êÒCZ†l¸)Wþ^™ WR†ÒÉÉ>STxq¦%°XÞ¤3zû(1Ü €H€ú1ÏÞ„6vzX»½Œ
Xô0õ
s—É€jV™Ï¨¨[U»®UÕ67ˆ”“VíŠFÓÓ`Æ‘¦yžAsµu–æ:¤àê;<
@õšj×p-9ô¿žÈƒ×RŸÃÌaû•Ùœ1íêøA6E`NñàÉÆ¬'`L•ÌöøûÚðèºqáäÆC\±BR ¼N+dýs¼©÷¥FŠüœ
H=¬xÚüZðBµf‚}‰ØÎT«`ÁØÿëyókÚ.*ìO10‘¤hHI1âŒ!Ì·VÌ#m”_LxY)
“()TÝÕ˜ù£Læ1ü’N°ô”Kæz•¥ÎIÕÜY^eªÖîØ‡²ãa¶6ìÂ"µnT"[?*×‡»ÚsÖ+Då|¦´ÆÓ)ÀˆjoáF§;ù_
3ZëRoˆˆƒ8ˆó þÿ»?ÿÿÿÿÿó ÿˆˆ»ˆˆˆˆˆó oþÿÿÿÿÿˆˆÿó ˆˆƒ8ˆŒÌÇó ÿþÿ»?ÿÿÌÿó oˆˆ»8ˆˆÌxó þÿ»?ÿÿÌÿó ÿˆˆ»8ˆˆÌxó oþÿ»?ÿüÌÿó ˆˆ»ˆˆˆ‡xó ÿþÿÿÿÿÿÌÿó oÿÿÿÿÿÿÌÿÿó ÿÿÿÿÿÿÿÿÿó ÿÿÿÿÿÿÿÿÿÿó ÿÿÿÿÿÿÿÿø ø ð è è ð è è ð è è ð è è ð è è ð è è ð è è ð è è ð ø ø ÿÿÿÿ è 0 @ À ÿÿÿÿü À kernel32.dll LoadLibraryA GetProcAddress VirtualAlloc VirtualFree ß b 42üsãöòk z Ô
+(á||¾’” áHé``ƒì0‹D$4HSUV¾¿/ŒÞÓãxW=xçÖÓâ‰AÈ¸78Ðà3í+rÞÖ6‰|$ l
Æ@Ë>\¾8¾T³<#ãtã" (û,ù ‹ó«_LÁH¶q€QÁædò(‰ƒõÌÈÿÌ‰S9À˜Tw_^ ]3À[ƒÄ0ÂPÿå»ÑfÉ#~«àÍÁáËª‚‘0=Ä
sjF§æàÅ¾óAQ‹
'ØçëÐ¯Ù;uó*ƒîp¿’+ùÁï®e‰9h¬D¹-ƒ*P Ãã°C’YñE‹“–UG9ƒ‰<“°ë6œÇŠ÷‹<˜Ï‰vT2Ó—8Œ,bÿëœ$Ð¦$B |Šé…L1¢PˆÙ9IËßƒùä£D}
Ç¦„Ÿ7ë&ßî!¦éGD`;T‚jþÂùÓBëÝ+Ãó‹ÙÁÂàË‰
M5‘ÈòÂŒ¯dîÐ*ÁêäÑ;òsLÄÂ‘0ºLèÑÐ.èuÒs
”)DT×¬H 3Ò!ÌœÂ™‰,?‚(ÈHäJƒ0âEéþ«ß•H+ÂOòIy)‰n#Œ#‚ñC‰\,Æ0„ÈÁéŒ ;ñ†x½US»Š*ÚÌuUâ‰œ’).§éÓ‡Ï—–ÁãùW&å"ì…é$qº) èäOäôƒÒ
…É„YÕ¿‘FçÂJ± ÕHÈ+AŠ:œ9ÿ‰ ¾¹’éoPƒçõX%˜
éUäõÁýñýFÑ,IÑB+0ýDrò2„`ž‰)¡Z…z”D%ë}žT#`{+<WóŒHEyÄ¡0=ªä‹ý¤ŠügË±B(WÿÂ3ÉF%;ÁI¼ázìÉ'‚ÐÇTˆ

B‰DT³W‘ú!&O°™
ãÖà\L 3í®üHé‚3D!ú×ª\¸QR]È*\.y†3¼7(½1
dÂë!œaÏˆ.™Gö-ÝëÅ0»"Õ½ƒ™yX7.™Ý
ëns^\¢,0)Áu¤‹”
€úÓç+ï&Ýƒ‰ %ÍÄ¶yîCû|õ·ž Õ œÀ«¯¤VmÐs,µ›×!Ñr³áƒíÌuªêêx@Húav¸ÚPÜ~?Ñù’åûÍ,`·0}Ó?å‹LAÉ gŠ¼
ëE—H
˜’Äš. Ñèí;ðrÝ6†Â@éÛ¤Ñ |ˆ‚“JÉå$~0ë4v¥àV€ø‡lª\„ÑfdƒP0‰ îÅý(.¥øÿäM¹ ƒÃ;éwH<+ý¢!ŠXEìKˆ)AG…Ûf]ú‚èŸrÞœ”ÓŸë¹%¸IËÌ¬þìOYW®x4ÐG™¹ K÷ù¾˜ì,j8h3<À™÷þ×TìºÉp9} ‹CÂ=r\'RjÿÐ‹7Ä·˜NéÔQVrRüèƒÇ WÚR´ÛŸ4Š)÷ÚŒK°€ƒ>\UŸÑ_”ÆžD™7ÂíPµ¤Á@Iœù )AÀÁÄ£†ßÚ
ˆ³Ø£¤Š…!4OK5cË’
H˜ ö¨4dþˆ]Ø4óh* ×|!y0‘'FU„ÂëæƒŽßè§À´p"@š8@!¯8
‹ÇÔÜ8 „{€SWVUè]íLTµC
‹FüƒÀÇo/ÞgVäv€›ò½1/2«Hƒ{HtÀsD…wö¹#ƒ~F&{@”óòòX#/‘o¦Ñ?˜ÿQèeFß0‹N,‰+Kj@™’QFâ•7!‰…'
VèMö br½…ÀÍ”²Á(@,U’SÙš4-ëOO fQF GÀnt{‹•ªTÍl®
Du©Š:ë-÷cÁW€tàRážÔQ…˜1P?Š‰L & ÈAâRÏ?Ò°© –
bj…«ˆÀfH1ë7$Þ%DuCÃš@ðñ÷ÆéÃë+š‰Bˆ%ÂÒ³ò”Ö|Wi78Éÿµ‘3¦;´@FÇ]^_[ÃU´ìÂÙüI»èÂ [ëh?à9ËQÿ“"©‰E¼V…Ý~ÃÓKû·ÁtRû¯ÕÃ¿uüDD3«ZƒÂëä«Æ¬uÅ¯ÉÐƒG¯EÐÍOÁf*MÈ?C½Âð‰ëSô™#])Vèñ\
G>$ÉÀX±þ0PëN. ‰Uø·F©±ªu}ó”Y™‡!„VzlöMcü@^à6uø;Ï}4’FàòÐUü,ègÓtÐþÈŠ×1u*:ÂØ
fÁèÂÀ†Äh½ÎÎ~¹‚AëÈ^YH¾Ft5;*ª0Å«÷¦aéxýx—QŽ„9ø€4ƒìfvRPè§ÐËbYŽIÁ?W5æ³
åÄA~ú'›P”ÞÍ(Cí±–tMàs˜^b}(KÉøÁÄù,ó¥-ƒá¶Eÿ{ú¤RöÑ¡«ñªlZÎ`;Ú2=42¦Ãu¢Z¢ˆãU"œ€šGÁðQRV#‘r‘Š‘ÖP‰»¦¿.}ì&5nH+È…6*²&^ _2|C`Q»˜ÐHôR²K}\K¨†‹/ÇoQÙì,©È@t2[µFºˆ)36ÿmØëMZaú;}ñu…ùëÚd@øÇ4ÿªƒ›à›+îœ¥IÇ^rrÚ-@]¤--–@Ë´kùb› ]¤‚9Å\¶Ct$sèC˜Q=NMÎ~…ÿ!z{PWQSèzeHHˆÝøH© ëÅÎªmsvb]fä\"Ç E‰ƒk±dÐ®!öFÄ‹“KïN@kÒƒôäY…\À09N´ëN"cGëzÉÎ} ±U=…Ò>»Ö1ö
òÇTn'ŠÏØ¸tDRR'©% %œ#œjë‹MÁÖAtÖfóàQ@ã,IÈšZhalo¬M¹9%‹T"»ë¬ˆœÕ®„Qü^o×ó*0+ñ‰´Ðè¤;MfAëó¾6˜kIümÒ„ JE¹@<@H|ƒÇ'¡ÏÁé``áæQevP¶K:ûŠ¨ƒö,£ˆÂYˆç¡Ë¥…e‘…Y
K4z/"!§•%!3Oô¯¸Ï„ÓJ”{²¸€F-«ð‹V4+‰¦zeHwŽAp licatèon er=¹ð§;î /uþÜ.Theß€üsƒøwAA•‹Å³V‹÷+ðó¤^ëŽÒuŠFÒÃ3ÉAèîÿÿÿÉèçÿÿÿròÃ+|$(‰|$aÂ t
×# È Ì @ À Ä ¸-Rðˆž ‰A‹T$‹RÆéƒÂ+‰Jü3ÀÃ¸xV4d ƒÄUSQWVR˜W ‹SR‹èj@h ÿsj ‹K‹ÿÐZ‹øPR‹3‹C Â‹‰K ‹CÂ‹‰Kò‹KCPWVÿÑZXC‹øR‹ð‹FüƒÀ+ð‰V‹K‰Nÿ×‰…? ‹ð‹KZëh € j Wÿ‹ÆZ^_Y[]ÿà

gmer report:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-17 11:50:46
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Kunal\AppData\Local\Temp\pxldqpow.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys ZwOpenProcess [0x9E2F5B4C]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys ZwOpenThread [0x9E2F5C3A]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys ZwTerminateProcess [0x9E2F5AB0]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 9C53DBB8

AttachedDevice \Driver\tdx \Device\Tcp bdftdif.sys
AttachedDevice \Driver\tdx \Device\Udp bdftdif.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service system32\drivers\parport.sys (*** hidden *** ) [MANUAL] Parport <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Parport@EventMessageFile %SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\parport.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Parport@TypesSupported 7
Reg HKLM\SYSTEM\CurrentControlSet\Services\Parport@DisplayName Parallel port driver
Reg HKLM\SYSTEM\CurrentControlSet\Services\Parport@Group Parallel arbitrator
Reg HKLM\SYSTEM\CurrentControlSet\Services\Parport@ImagePath \SystemRoot\system32\drivers\parport.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\Parport@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Parport@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\Parport@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\System\Parport@EventMessageFile %SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\parport.sys
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\System\Parport@TypesSupported 7
Reg HKLM\SYSTEM\ControlSet002\Services\Parport@DisplayName Parallel port driver
Reg HKLM\SYSTEM\ControlSet002\Services\Parport@Group Parallel arbitrator
Reg HKLM\SYSTEM\ControlSet002\Services\Parport@ImagePath \SystemRoot\system32\drivers\parport.sys
Reg HKLM\SYSTEM\ControlSet002\Services\Parport@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\Services\Parport@Start 3
Reg HKLM\SYSTEM\ControlSet002\Services\Parport@Type 1

---- EOF - GMER 1.0.15 ----

Hello,

I had initially posted into another forum here: http://www.bleepingcomputer.com/forums/t/302937/rootkit-trojan/

As suggested there, I tried running Defogger (it did the disabling)

However, DDS did not run successfully. Upon clicking it, it directly opens a notepad file titled DDS which is filled with illegible characters and runs into great lengths (I've copy pasted a part of the file in the previous post of this topic)

GMER was able to run, and report is copy pasted in the previous post.

As soon as i connected to the internet, the symptoms mentioned in the previous topic (http://www.bleepingcomputer.com/forums/topic302937.html) re occurred: ie Windows Explorer stops working and then tries to restart. Also, Task Scheduler, Desktop Windows Manager and Bit Defender Agent stop working.

PS - I googled for DDS not running, and came across this http://www.bleepingcomputer.com/forums/t/297865/cant-run-ddsscr-opens-in-notepad/
I also have AutoCAD 2008 installed on this laptop, and I re looked at the DDS file and it is identified as an AutoCAD Script. I dont know if this is causing the error in running DDS, since I have AutoCAD also installed on my desktop and on that the DDS ran fine (The desktop's issues are being looked at separately in this topic: http://www.bleepingcomputer.com/forums/t/302287/multiple-malwares/ )

Thank you for your help,
Regards,
Kunal

Edited by boopme, 17 March 2010 - 12:06 PM.

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 myrti

Sillyberry

Malware Study Hall Admin
33,766 posts
OFFLINE

Gender:Female
Location:At home
Local time:05:57 AM

Posted 20 March 2010 - 11:53 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report

Please download OTL from one of the following mirrors:
- This is THE Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
In the custom scan box paste the following:
CODE
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%\*. /mp /s
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird? a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

Follow BleepingComputer on: Facebook | Twitter | Google+

#3 kb11

Topic Starter

Members
26 posts
OFFLINE

Local time:09:27 AM

Posted 21 March 2010 - 08:29 AM

Hello myrti,

The laptop in question was not turned on since the time I made the first post.

Today when I turned it on to run OTL, it gave the previous symptoms: Within a few seconds of turning on the laptop WIndows Explorer stops working, it tries to find the solution to the problem and tries to restart Windows Explorer. Simultaneously, Task Scheduler stops working as does Services and Controller Application.
Along with these, I received a new notification today: Windows has encountered a problem and will restart automatically in one minute. Please save all your work now.

Then Windows restarts and the whole cycle begins all over again. Im perplexed by what to do with this.

Just as I mentioned earlier (http://www.bleepingcomputer.com/forums/t/302937/rootkit-trojan/) I can format the C drive again and reinstall windows if needed, since I have no data on it. I have some data on D drive which isnt backed up. But if need be, I can format that drive too without backing up the data.

Thanks,
Kunal

#4 myrti

Sillyberry

Malware Study Hall Admin
33,766 posts
OFFLINE

Gender:Female
Location:At home
Local time:05:57 AM

Posted 21 March 2010 - 03:34 PM

Hi,

if you are inclined to reformat, then this may be your best and quickest option.

if you prefer to try and fix please try to provide a log from OTLPE:
OK this file is big Print these instruction out so that you know what you are doing

Two programmes to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the programme, from there on in it is fairly automatic. Instructions

Second

Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
When downloaded double click and this will then open ISOBurner to burn the file to CD
Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here
Your system should now display a REATOGO-X-PE desktop.
Double-click on the OTLPE icon.
When asked "Do you wish to load the remote registry", select Yes
When asked "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTL should now start. Change the following settings
- Change Drivers to SafeList
Press Run Scan to start the scan.
When finished, the file will be saved in drive C:\_OTL\MovedFiles
Copy this file to your USB drive if you do not have internet connection on this system
Please post the contents of the OTL.txt file in your reply.

regards myrti

is that a bird? a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

Follow BleepingComputer on: Facebook | Twitter | Google+

#5 kb11

Topic Starter

Members
26 posts
OFFLINE

Local time:09:27 AM

Posted 21 March 2010 - 03:42 PM

hi,
i think i will go in for a reformat. however, id like to run some checks after formatting, to make sure i dont have anything lurking around. what would you suggest for that?
also after formatting, should i first install all drivers and windows updates or first run these checks?

thanks,
kunal

#6 myrti

Sillyberry

Malware Study Hall Admin
33,766 posts
OFFLINE

Gender:Female
Location:At home
Local time:05:57 AM

Posted 21 March 2010 - 05:53 PM

Hi,

I would try to bring the PC up to date before installing an anti virus program on it and run scans on it. However please install the SPs offline if possible and connect to the internet only after installing the updates and an antivirusprogram.

regards myrti

is that a bird? a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

Follow BleepingComputer on: Facebook | Twitter | Google+

#7 kb11

Topic Starter

Members
26 posts
OFFLINE

Local time:09:27 AM

Posted 23 March 2010 - 12:16 PM

hello,
i formatted the laptop, installed vista. and upgraded it offline to SP2.
then i installed kaspersky internet security 2010 and ran a complete scan - it detected and deleted Trojan-Downloader.Win32.Genoma.amwr which it found in E\ProgramFiles\Internet Explorer\rasadhlp.dll
(The E drive is Dell's recovery drive and I dont store any data on it)

I then ran Malwarebytes Anti Malware, Spybot Search and Destroy and Ad Aware. The first two didn't detect any thing. Ad Aware removed two cookies: *atdmt* and *2o7*

do you think i should run the dds and gmer scans and post a log?

thanks,
kunal

#8 myrti

Sillyberry

Malware Study Hall Admin
33,766 posts
OFFLINE

Gender:Female
Location:At home
Local time:05:57 AM

Posted 24 March 2010 - 04:58 PM

Hi,

this looks like a false positive from Kaspersky. The other detections are harmless. Cookies do not pose a threat to the security of your PC as such. If you want them gone, I can tell you how to disable them in your browser.

regards myrti

is that a bird? a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

Follow BleepingComputer on: Facebook | Twitter | Google+

#9 kb11

Topic Starter

Members
26 posts
OFFLINE

Local time:09:27 AM

Posted 24 March 2010 - 10:38 PM

hi myrti,

if cookies as such do not cause any harm, i dont mind leaving them enabled.

now, i have some external storage devices that i may have inadvertently plugged in to the laptop earlier and may have infected them. i use:
- 2 thumb drives (USBs)
- 2 external portable Hard Disk Drives
- 2 SecureDigital memory cards for a digital camera
- an IPod
- and a Cell Phone with a 512mb memory card

Is there any way to check if these are infected, and to protect them? I havent plugged in any of them into the laptop for fear of a cross-infection

regards,
kunal

#10 myrti

Sillyberry

Malware Study Hall Admin
33,766 posts
OFFLINE

Gender:Female
Location:At home
Local time:05:57 AM

Posted 26 March 2010 - 12:55 PM

Hi,

there are a couple of tools that will allow to protect your removable media, I usually suggest flash_disinfector:
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present. (This will prevent any infection present on the key to be executed)
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

regards myrti

is that a bird? a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

Follow BleepingComputer on: Facebook | Twitter | Google+

#11 kb11

Topic Starter

Members
26 posts
OFFLINE

Local time:09:27 AM

Posted 28 March 2010 - 12:57 PM

hey,
i downloaded and tried to run flash disinfector.
but after visa's UAC warning about letting flash disinfector run, nothing happens. the mouse just shows the waiting symbol for a few seconds, but nothing follows.
this happens even after i switched off kaspersky, adaware and spybot

- kunal

#12 myrti

Sillyberry

Malware Study Hall Admin
33,766 posts
OFFLINE

Gender:Female
Location:At home
Local time:05:57 AM

Posted 30 March 2010 - 06:59 AM

Hi,

can you please try to right-click and select "run as admin". Let me know if that works.

regards myrti

is that a bird? a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

Follow BleepingComputer on: Facebook | Twitter | Google+

#13 kb11

Topic Starter

Members
26 posts
OFFLINE

Local time:09:27 AM

Posted 30 March 2010 - 12:01 PM

hi,
i tried running it as admin too. but that made no difference.
there is still nothing that happens

- kunal

#14 myrti

Sillyberry

Malware Study Hall Admin
33,766 posts
OFFLINE

Gender:Female
Location:At home
Local time:05:57 AM

Posted 03 April 2010 - 11:45 AM

Hi,

then please try Pandy Vaccine: Panda Vaccine

After you download it, you can run it and select the flash drive you wish to vaccine under USB drive vaccination. I would not use the PC vaccination, since ComboFix already disabled that one.
The program is only available for fat formatted flash drives though and the flash drives should not be used with Linux-PCs.

regards myrti

is that a bird? a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

Follow BleepingComputer on: Facebook | Twitter | Google+