Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Hijack...


  • Please log in to reply
20 replies to this topic

#1 BSEdge

BSEdge

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 30 July 2010 - 10:58 AM

During the World Cup I tried to watch a match over a "Free" website. Instead of the match I'm pretty sure I picked up a virus/malware.

The biggest problem is that the svchost takes over all of the available memory and cpu. Usually 90+% cpu. I am able to force quit this svchost.exe and the PC goes back to normal for a day or so. However, everything I've tried has failed to make this permanently go away.

The second issue is that windows update is being blocked. Whenever I try to update, IE opens and gives me a DNS message. Firefox is also affected: I can go to the home page (google) and even search for something, but when i try to click on the link I get redirected.

I am running Windows XP Pro with Svc Pk 3.

As far as AV/AM: AVG 9, SuperAntispyware, Malware Bytes. I have run all three (separately) and all they come up with are tracking cookies.

Please help!

BC AdBot (Login to Remove)

 


#2 BSEdge

BSEdge
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 02 August 2010 - 09:15 AM

Over the weekend, AVG blocked the following:

allvexxx.tk - Trojan (blocked upon open)

209.222.3.154 - Exploit Rogue Scanner (type 1178) (blocked upon open)

Windows\system32\~.vbs - Trojan (detected and moved to chest)

svchost.exe is still hogging my PC and even ran the virtual memory low.

#3 BSEdge

BSEdge
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 04 August 2010 - 09:59 AM

I should change the topic to "definite infection".

Overnight AVG blocked: Win32/Kryptik.FHW and several other trojans from opening. Why is it blocking these but not finding them on scans!?!

After reading through a number of threads on here, I decided to go ahead and run TFC followed by MBAM. Here is the log:

---------------------------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4199

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/2/2010 11:21:10 AM
mbam-log-2010-08-02 (11-21-10).txt

Scan type: Quick scan
Objects scanned: 146602
Time elapsed: 9 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

---------------------------------------------------------------------------

I rebooted and then rescanned with MBAM and there was nothing on the scan. The problem still exists and this morning I recieved the warnings from AVG.

#4 BSEdge

BSEdge
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 06 August 2010 - 08:34 AM

Seems like most people get some sort of response within a day or two, so I've clearly done something wrong or offended someone.

My appologies to the forum, and you may delete my topic.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:57 AM

Posted 06 August 2010 - 10:01 AM

Hello, all the replies to yourself make it appear as you have been helped.

Well we need to do 2 things first.

Rerun MBAM (MalwareBytes) like this: yours is a little old.

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.



Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 BSEdge

BSEdge
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 06 August 2010 - 03:36 PM

Sorry for the confusion and from being impatient. :thumbsup:

I updated and ran MBAM. Here is the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4399

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/6/2010 12:13:56 PM
mbam-log-2010-08-06 (12-13-56).txt

Scan type: Quick scan
Objects scanned: 159461
Time elapsed: 15 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cleanswepx.exe (Trojan.SpyEye) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\cleanswepx.exe (Trojan.SpyEye) -> Quarantined and deleted successfully.

Files Infected:
C:\cleanswepx.exe\config.bin (Trojan.SpyEye) -> Quarantined and deleted successfully.

____________________________________________


I updated SAS and then restarted in safe mode.

I ran ATFC then SAS and SAS found some tracking cookies.

I rebooted normally and still get the DNS when I try Windows update, svchost.exe is at the top of my process list and AVG blocked another malware program (JMED.EXE).

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:57 AM

Posted 06 August 2010 - 07:35 PM

The problem imay actually be based in your router.

Open MBAM in normal mode and click Update tab, select Check for Updates

Next disconnect your system from the internet, and your router, then…
Now another quick scan.
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE

However, if there are other infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. You also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Once you have ran Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router. Then return to this site to post your logs.


Please post the Malwarebytes log and let me know how things are running now
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 BSEdge

BSEdge
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 09 August 2010 - 09:08 AM

I updated MBAM and am running a full scan of the pc.

Meanwhile, AVG just blocked six files on opening. They all have the same path as below:

c:\Doccuments and Settings\NetworkService\Cookies\system@.......

A seventh file was also blocked:

c:\Doccuments and Settings\ARA\Application Data\Mozilla\Firefox\Profiles\jmmj35te.default\Cookies.sqlite

This happens every time I run MBAM. Should I disable AVG's resident shield before running it?

#9 BSEdge

BSEdge
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 09 August 2010 - 10:41 AM

I updated MBAM and did a complete scan. Here is the log:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4410

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/9/2010 11:52:44 AM
mbam-log-2010-08-09 (11-52-44).txt

Scan type: Full scan (C:\|)
Objects scanned: 222167
Time elapsed: 1 hour(s), 44 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Rogue.Antivirus2010) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Rogue.Antivirus2010) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\Documents and Settings\ARA\Application Data\usernt.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\ARA\Start Menu\Programs\Startup\syscron.exe (Trojan.Agent) -> Quarantined and deleted successfully.

_________________________________________________________________________________________________________________

I tend to think this is a virus/malware blocking IE from getting to the Windows Update page. The other computer connected to this router has no problem connecting to WU and is showing none of the svchost.exe issues that this computer is. Also, I'm able to use IE without any issues except for going to the WU page.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:57 AM

Posted 09 August 2010 - 02:59 PM

Did you rest the router.??

If still redirecting>>>
Change your DNS Servers:
  • Go to Posted Image > Run... and in the open box, type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.
If the above commands did not resolve the problem, the next thing to try is to reset your network settings and Configure TCP/IP to use DNS.
  • Go to Posted Image > Control Panel, and choose Network Connections.
  • Right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties.
  • Double-click on Internet Protocol (TCP/IP) or highlight it and select Properties.
  • Under the General tab, write down any settings in case you should need to change them back.
  • Select the button that says "Obtain an IP address automatically" or make sure the DNS server IP address is the same as provided by your ISP.
  • Select the button that says "Obtain DNS servers automatically".
  • If unknown Preferred or Alternate DNS servers are listed, uncheck the box that says "Use the following DNS server address".
  • Click OK twice to get out of the properties screen and restart your computer. If not prompted to reboot go ahead and reboot manually.
-- Vista users can refer to How to Change TCP/IP settings

CAUTION: It's possible that your ISP (Internet Service Provider) requires specific DNS settings here. Make sure you know if you need these settings or not BEFORE you make any changes or you may lose your Internet connection. If you're sure you do not need a specific DNS address,
then you may proceed.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 BSEdge

BSEdge
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 10 August 2010 - 09:06 AM

I did reset the router. Flushed the DNS and made sure the TCP/IP settings were correct. No change.

I think I may have been mistaken about the error I'm getting. It's not a DNS message; just that IE cannot load the page. I can get to the Microsoft page just fine and I can even eventually get to the windows update page, but once I get there the actual update doesn't work. I installed Windows Defender and manually updated the program. I didn't help, but I noticed that it is being blocked from updating as well. Also, if I leave IE or Firefox open for long enough a random page will open in a new tab. There have been occasional search redirects to an obviously fake News page.

This morning the PC's virtual memory was low, programs had shut down and AVG had blocked and exploit rogue scanner: engsquad.com. The process this tried to run under was the problematic svchost.exe.

Hope this helps, and sorry for the bad intel.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:57 AM

Posted 10 August 2010 - 07:22 PM

Please click Start > Run, type inetcpl.cpl in the runbox and press enter.

Click the Connections tab and click the LAN settings option.

Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.

Now check if the internet is working again.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 BSEdge

BSEdge
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 11 August 2010 - 11:36 AM

Ran inetcpl.cpl and then updated and ran MBAM:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4419

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/11/2010 10:56:34 AM
mbam-log-2010-08-11 (10-56-34).txt

Scan type: Quick scan
Objects scanned: 168756
Time elapsed: 19 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Rogue.Antivirus2010) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Rogue.Antivirus2010) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

___________________________________________________________________________________________________

Restarted and rescanned with MBAM, it found the same two infections:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Rogue.Antivirus2010) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Rogue.Antivirus2010) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

____________________________________________________________________________________________________

Restarted and ran full scan with MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4419

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/11/2010 12:53:05 PM
mbam-log-2010-08-11 (12-53-05).txt

Scan type: Full scan (C:\|)
Objects scanned: 229962
Time elapsed: 1 hour(s), 4 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Rogue.Antivirus2010) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Rogue.Antivirus2010) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Hope this is useful and thanks for the help.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:57 AM

Posted 11 August 2010 - 01:24 PM

Hi, We have an infected userinit file,probably the result of a rootkit.

We will need to do a rootkit scan.
Before performing a Anti rootkit scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

Disconnect from the Internet or physically unplug you Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 BSEdge

BSEdge
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 11 August 2010 - 04:02 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-11 17:12:36
Windows 5.1.2600 Service Pack 3
Running: wns1r54c.exe; Driver: C:\DOCUME~1\ARA\LOCALS~1\Temp\kxrdqpod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF025A670]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF025A720]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF025A7C0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF025A860]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xF307CA00]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1508] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1508] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1508] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1508] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01B3000A
.text C:\WINDOWS\System32\svchost.exe[1508] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0097000A
.text C:\WINDOWS\Explorer.EXE[2804] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[2804] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[2804] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat BA6F9D20
Device \FileSystem\Fastfat \Fat BA7008C1

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- EOF - GMER 1.0.15 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users