Recently I have been battling a series of viruses on my computer and thought I had them beat after downloading Malwarebytes. I had the hotfix.exe problem, and it fixed that one. Found a few trojans and the other usual suspects and thought that was it. But other problems persisted, such as redirects on google and super long shutdown cycles. I believe my rootkit problem is the same as presented in this topic:
http://www.bleepingcomputer.com/forums/topic309331.htmlI have already run GMER. Here is the log.
GMER 1.0.15.15281 -
http://www.gmer.netRootkit scan 2010-10-05 19:47:25
Windows 5.1.2600 Service Pack 3
Running: h3uiv36o.exe; Driver: C:\DOCUME~1\Emily\LOCALS~1\Temp\fgdoapod.sys
---- System - GMER 1.0.15 ----
SSDT spuv.sys ZwCreateKey [0xF741C0E0]
SSDT spuv.sys ZwEnumerateKey [0xF7434DA4]
SSDT spuv.sys ZwEnumerateValueKey [0xF7435132]
SSDT spuv.sys ZwOpenKey [0xF741C0C0]
SSDT spuv.sys ZwQueryKey [0xF743520A]
SSDT spuv.sys ZwQueryValueKey [0xF743508A]
SSDT spuv.sys ZwSetValueKey [0xF743529C]
INT 0x63 ? 82FDABF8
INT 0x73 ? 82E6EF00
INT 0x82 ? 82FDABF8
INT 0x83 ? 82E6EF00
INT 0x83 ? 82E6EF00
INT 0x83 ? 82E6EF00
INT 0x83 ? 82E6EF00
INT 0xA4 ? 82E6EF00
INT 0xB4 ? 82E6EF00
INT 0xB4 ? 82E6EF00
INT 0xB4 ? 82E6EF00
---- Kernel code sections - GMER 1.0.15 ----
? spuv.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F31D18AC 5 Bytes JMP 82E6E4E0
.text aag4abxz.SYS F30D7386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text aag4abxz.SYS F30D73AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text aag4abxz.SYS F30D73C4 3 Bytes [00, 80, 02]
.text aag4abxz.SYS F30D73C9 1 Byte [30]
.text aag4abxz.SYS F30D73C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.rsrc C:\WINDOWS\system32\DRIVERS\mouclass.sys entry point in ".rsrc" section [0xF78FB814]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[184] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[184] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DE000A
.text C:\WINDOWS\Explorer.EXE[184] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C3000C
.text C:\WINDOWS\Explorer.EXE[280] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\Explorer.EXE[280] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D4000A
.text C:\WINDOWS\Explorer.EXE[280] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C1000C
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D2000A
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006F000C
.text C:\WINDOWS\system32\svchost.exe[1180] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01C8000A
.text C:\WINDOWS\system32\svchost.exe[1180] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00FF000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1232] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01C2000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1232] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01C3000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1232] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 01C1000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[1232] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01A0000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1376] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01A1000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1376] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 018F000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[1376] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1384] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 103FDDE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1724] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 103FDDE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 82FD91F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{6ABF5AC6-69F2-4D33-B1D8-409D661D120E} 823FB1F8
Device \Driver\usbohci \Device\USBPDO-0 82E561F8
Device \Driver\usbohci \Device\USBPDO-1 82E561F8
Device \Driver\usbohci \Device\USBPDO-2 82E561F8
Device \Driver\usbehci \Device\USBPDO-3 82E751F8
Device \Driver\usbohci \Device\USBPDO-4 82E561F8
Device \Driver\usbohci \Device\USBPDO-5 82E561F8
Device \Driver\usbehci \Device\USBPDO-6 82E751F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 82F6C1F8
Device \Driver\Cdrom \Device\CdRom0 82E701F8
Device \Driver\Cdrom \Device\CdRom1 82E701F8
Device \Driver\atapi \Device\Ide\IdePort0 [F7396B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F7396B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [F7396B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-10 [F7396B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 823FB1F8
Device \Driver\PCI_PNP2374 \Device\0000003f spuv.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{90DF2E26-0480-4F5A-A38D-23456751C6FC} 823FB1F8
Device \Driver\NetBT \Device\NetbiosSmb 823FB1F8
Device \Driver\usbohci \Device\USBFDO-0 82E561F8
Device \Driver\usbohci \Device\USBFDO-1 82E561F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 823F71F8
Device \Driver\usbehci \Device\USBFDO-2 82E751F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 823F71F8
Device \Driver\usbohci \Device\USBFDO-3 82E561F8
Device \Driver\usbohci \Device\USBFDO-4 82E561F8
Device \Driver\Ftdisk \Device\FtControl 82F6C1F8
Device \Driver\usbehci \Device\USBFDO-5 82E751F8
Device \Driver\usbohci \Device\USBFDO-6 82E561F8
Device \Driver\sptd \Device\24462374 spuv.sys
Device \Driver\aag4abxz \Device\Scsi\aag4abxz1 82E771F8
Device \Driver\aag4abxz \Device\Scsi\aag4abxz1Port3Path0Target0Lun0 82E771F8
Device \FileSystem\Cdfs \Cdfs 823BF1F8
Device -> \Driver\atapi \Device\Harddisk0\DR0 82D9FEC5
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x34 0xF5 0x6F 0x07 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x75 0xA1 0x2D 0x1D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x49 0x28 0x8C 0xBC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2F 0xD8 0xEF 0x8C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x75 0xA1 0x2D 0x1D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x49 0x28 0x8C 0xBC ...
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\DRIVERS\mouclass.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----