Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I infected? What do I do?


  • Please log in to reply
1 reply to this topic

#1 mant

mant

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 29 June 2010 - 09:00 AM

Sometimes I get BSOD: PAGE_FAULT_IN_NONPAGED_AREA


Here's my GMER log:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-29 20:48:53
Windows 5.1.2600 Service Pack 3
Running: GMER.exe; Driver: D:\Temp\uwtdapow.sys


---- System - GMER 1.0.15 ----

INT 0x62 ? 8316FBF8
INT 0x63 ? 830DFBF8
INT 0x73 ? 830DFBF8
INT 0x83 ? 830DFBF8
INT 0xA4 ? 830DFBF8

---- Kernel code sections - GMER 1.0.15 ----

? spze.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF77A0380, 0x5414A5, 0xE8000020]
.text anzydbx4.SYS F74923D6 1 Byte [00]
.text anzydbx4.SYS F74923D6 62 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text anzydbx4.SYS F7492415 5 Bytes [B0, 02, 00, 00, 04]
.text anzydbx4.SYS F749241B 9 Bytes [00, 00, 98, 02, 00, 00, 00, ...] {ADD [EAX], AL; CWDE; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text anzydbx4.SYS F7492425 30 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\GMER.exe[544] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100A55F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\GMER.exe[544] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100A5574 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\GMER.exe[544] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100A55A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\WINDOWS\system32\GMER.exe[544] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100A5624 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Registry Workshop\RegWorkshop.exe[808] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100A55F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Registry Workshop\RegWorkshop.exe[808] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100A5574 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Registry Workshop\RegWorkshop.exe[808] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100A55A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
.text C:\Program Files\Registry Workshop\RegWorkshop.exe[808] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100A5624 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F83F2042] spze.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F83F213E] spze.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F83F20C0] spze.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F83F2800] spze.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F83F26D6] spze.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8401B90] spze.sys
IAT \SystemRoot\System32\Drivers\anzydbx4.SYS[HAL.dll!KfAcquireSpinLock] CCCCCCC3
IAT \SystemRoot\System32\Drivers\anzydbx4.SYS[HAL.dll!READ_PORT_UCHAR] CCCCCCCC
IAT \SystemRoot\System32\Drivers\anzydbx4.SYS[HAL.dll!KeGetCurrentIrql] CCCCCCCC
IAT \SystemRoot\System32\Drivers\anzydbx4.SYS[HAL.dll!KfRaiseIrql] CCCCCCCC
IAT \SystemRoot\System32\Drivers\anzydbx4.SYS[HAL.dll!KfLowerIrql] 8BEC8B55
IAT \SystemRoot\System32\Drivers\anzydbx4.SYS[HAL.dll!HalGetInterruptVector] 00C73445
IAT \SystemRoot\System32\Drivers\anzydbx4.SYS[HAL.dll!HalTranslateBusAddress] 00000000
IAT \SystemRoot\System32\Drivers\anzydbx4.SYS[HAL.dll!KeStallExecutionProcessor] 830C458B
IAT \SystemRoot\System32\Drivers\anzydbx4.SYS[HAL.dll!KfReleaseSpinLock] C0840CEC
IAT \SystemRoot\System32\Drivers\anzydbx4.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 053C0D74
IAT \SystemRoot\System32\Drivers\anzydbx4.SYS[HAL.dll!READ_PORT_USHORT] 57B80974
IAT \SystemRoot\System32\Drivers\anzydbx4.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 8B000000
IAT \SystemRoot\System32\Drivers\anzydbx4.SYS[HAL.dll!WRITE_PORT_UCHAR] 56C35DE5
IAT \SystemRoot\System32\Drivers\anzydbx4.SYS[WMILIB.SYS!WmiSystemControl] 8D51FC4D
IAT \SystemRoot\System32\Drivers\anzydbx4.SYS[WMILIB.SYS!WmiCompleteRequest] 8D52FD55
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F745C054] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F745C054] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F745C054] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F745C054] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F745C054] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F745C054] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F745C054] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8316E1F8

AttachedDevice \FileSystem\Ntfs \Ntfs dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.)
AttachedDevice \FileSystem\Ntfs \Ntfs HFXP2.SYS (Hide Folders XP driver (for Win32)/FSPro Labs)

Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Ip dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 830E31F8
Device \Driver\usbuhci \Device\USBPDO-1 830E31F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 831DE1F8
Device \Driver\dmio \Device\DmControl\DmConfig 831DE1F8
Device \Driver\dmio \Device\DmControl\DmPnP 831DE1F8
Device \Driver\dmio \Device\DmControl\DmInfo 831DE1F8
Device \Driver\PCI_PNP4042 \Device\00000053 spze.sys
Device \Driver\PCI_PNP4042 \Device\00000053 spze.sys
Device \Driver\usbuhci \Device\USBPDO-2 830E31F8
Device \Driver\usbehci \Device\USBPDO-3 8300C1F8
Device \Driver\usbuhci \Device\USBPDO-4 830E31F8
Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Tcp dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.)
AttachedDevice \Driver\Tcpip \Device\Tcp fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 831701F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 831701F8
Device \Driver\Cdrom \Device\CdRom0 82FC91F8
Device \Driver\Cdrom \Device\CdRom1 82FC91F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 831701F8
Device \Driver\atapi \Device\Ide\IdePort0 [F8327B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F8327B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F8327B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Udp dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.)
AttachedDevice \Driver\Tcpip \Device\Udp fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\sptd \Device\466817792 spze.sys
Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\RawIp dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.)
AttachedDevice \Driver\Tcpip \Device\RawIp fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 830E31F8
Device \Driver\usbuhci \Device\USBFDO-1 830E31F8
Device \Driver\usbuhci \Device\USBFDO-2 830E31F8
Device \Driver\Tcpip \Device\IPMULTICAST afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\usbuhci \Device\USBFDO-3 830E31F8
Device \Driver\Ftdisk \Device\FtControl 831701F8
Device \Driver\usbehci \Device\USBFDO-4 8300C1F8
Device \Driver\anzydbx4 \Device\Scsi\anzydbx41 82FBD1F8
Device \Driver\anzydbx4 \Device\Scsi\anzydbx41Port3Path0Target0Lun0 82FBD1F8
Device \FileSystem\Cdfs \Cdfs FFB39500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000df01e887c (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000df01e887c@0013e03631d6 0x9D 0x06 0x2E 0x85 ...
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000df01e887c@001f6b92a251 0xB2 0x23 0x7A 0x7F ...
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000df01e887c@000e6d089da8 0x59 0xE7 0xA2 0xAC ...
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000df01e887c@002265dc1ee5 0xA6 0x09 0x48 0xDD ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----





Am I infected? What do I do?

Edited by mant, 29 June 2010 - 02:23 PM.


BC AdBot (Login to Remove)

 


#2 mant

mant
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 29 June 2010 - 12:14 PM

I suspect the spze.sys


It have variant's name after reboot:

spcz.sys
spyu.sys
spze.sys


...etc


size: 995328
image path: no path







Rescan, then appears another invisible file:


sybex38.sys


size: 27264
path: C:\WINDOWS\system32\drivers









Rescan, then appears another invisible file:


uwtdapow.sys


size: 93506
path: \temp folder










All files above is invisible (no file in disk, no registry, can not be deleted).


:thumbsup:

Edited by mant, 29 June 2010 - 02:39 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users