Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Undetected rootkits, or corrupted registry files

  • This topic is locked This topic is locked
1 reply to this topic

#1 rustypelican


  • Members
  • 3 posts
  • Local time:06:20 AM

Posted 20 October 2010 - 11:59 AM

What I have done: uninstalled McAfee before (due to non-working license), Ran full MBAM scans with 0 threats, ran Spybot S&D with 0 threats other than the Gamevance.playsushi folder that it always finds (cleaned eons ago). combofix (allegedly cleaned unknown virus/trojan/worms), installed ran Kaspersky and found the aforementioned combofix C:\123~ files, uninstalled Kaspersky with their uninstall utility, installed ESET Smart Security and ran a 5 hour scan that only found, to the best of my knowledge, false positives (USBMR.. mouse overclocker [deemed secure since I have had it for ages and was not a threat according to McAfee, Kaspersky numerous other antispyware programs]).

How this happened: Browsing internet and got hit with a java-applet launched Windows Media Player (unusual behavior) out of the blue that is when I knew I needed to do what I did in the first paragraph. Needless to say there might be a flurry of unknown problems happening because the GMER log supposedly detected rootkit activity. I thought I was clean, and I regulary clean and delete unnecessary temporary files, and Firefox/IE cache... I only recently updated my OS from SP2 to SP3 which is slightly faster. I also encounter many NT.DAT and IE.5 files that I do not understand being there, (do not use IE only Firefox, and only recently Google Chrome because Firefox was the browser that the exploit launched Java, [combofix found a scriptf.dll I forget the name of this but it was a java and McAfee related file- backdoor worm/rootkit that went undetected by McAfee overwrote it's files etc?].

Computer is not slow and there are no noticeable performance issues, I can only say that I do not know what is going on because antivirus programs are not catching what Spyware Doctor seems to be catching in a quick 1 minute scan. Downloader-trojan.Murlo (with multiple CATCHME registry entries) is the biggest concern, I do know what I am doing wrong and I do not own a license to Spyware Doctor to remove those entries. I do not know if it is me not uninstalling Combofix to remove what it found or if there is something that I am not doing correctly. Also noticing Windows stalls @ the "Saving settings" screen during shutoff. I would like to post a GMER log first ans see if I can get more help, and I do not want to delete these LEGACY...CATCHME 0000001 type registries because I do not want to mess up my computer. So the question is am I infected and what should I do? Too many conflicting scan results that are not making any sense.

GMER - http://www.gmer.net
Rootkit scan 2010-10-20 08:25:56
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Compu\LOCALS~1\Temp\kwaiakow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xAC89C610]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB9EF2112]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB9ED12D6]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB9ED14C8]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xAC89CC10]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB9EF2900]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB9EF2BB4]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xAC89C730]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB9EF0E12]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xAC89C4B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xAC89C570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xAC89C6D0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB9EF3020]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xAC89C690]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xAC89C650]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xAC89C7D0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB9EF23D2]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xAC89C510]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xAC89C590]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xB9ED0F44]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xAC89C5D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xAC89C750]

Code \??\C:\DOCUME~1\Compu\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB91B9000, 0x273B67, 0xE8000020]
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\Compu\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\DOCUME~1\Compu\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[128] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00860001
.text C:\WINDOWS\system32\Ati2evxx.exe[232] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 010E0001
.text C:\WINDOWS\system32\svchost.exe[256] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A20001
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EE0001
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01920001
.text ...
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1536] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[1720] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006A0001
.text C:\WINDOWS\system32\csrss.exe[1748] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F50001
.text C:\WINDOWS\system32\winlogon.exe[1796] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01510001
.text C:\WINDOWS\system32\svchost.exe[1844] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009C0001
.text C:\WINDOWS\system32\services.exe[1908] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00760001
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

Device \Driver\PCTSDInjDriver32 \Device\PCTSDInjDriver32 PCTSDInj32.sys

AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xCB 0x0C 0xF0 0x9D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xCB 0x0C 0xF0 0x9D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xCB 0x0C 0xF0 0x9D ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION E74D456DE9E9C61A2C31147940DC62F106CCDF6480C9740DBB33C3F9FBB0312C6415C4D45E044344C89E497D602D4683D5A19E55FD5A5827208790543F1C329CF2208F9596DCE1797835E4B1481BF9BEE8F6FEEC687DEB6ACA35C2B26033E3634CDE72E60E2232A49D69A5796C68CEC7E8EAD05BCCAEE65B531A5A3325C5F9009019BEF3E4198BE07F85CCAEE3EEDCFB68696746DD783F31B2ECDB68F6B26F27C0E54BDB5C978802CBA7A21C6C1A7F69DB3699476EFDB05746334FD6E3737FC144B072B0DC09878D10C17081636956D09A67FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808FEBC9E127BECC74C5D575E7D6A3B98085D575E7D6A3B9808BBCCB06D37EA223A55D34268C391EC2C617244B7FA9694EDD4A9AB286975BCD11927A6ECB96431B3BFAB8760F0109EE6CFB33D93C137D1EA95EFDDAFE58D0BF48B9944A38F6E614A5509372BE861B164BB2326969DF1A66DCE99F17300D0470806F047F5B0471966F5620B40E30257B21A8853EDAA1E2ECA29577375D29113C3FDE9135AD660A6470B25DD2DDC9E2337E01B38D9C146E32BCA4E8FCB39DA7535EBB9AEDB7FDFB67D7CB0AF11921C0E268D89EC3183AA2B88E19917A1D668D73D4F06C41B6D9EDD6FBB5823A0090E748B9F72B0DBD5BF47359D4881350FA
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL D9A433E57831A07960EE776C1B8A9AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808FEBC9E127BECC74C5D575E7D6A3B98085D575E7D6A3B9808D54C0671D526AD06ED714EEDE2675D24F1FE286AA20852D959FD30E035FE2ABCF7AB793C7ACEF2F3F990C61F3625C3CF2D249BC2F98938649485945FEF9BB24455409726DE63723A6F264D4D962B7525C132EEA797F42F52E7FEE354986F8B7460D1AAF3D410C62604AA99F52CA70BFACDF068719617ECA078A58E906189A995612B6E0EC0C5BFE8449B54BA300CD18BC1303C982504D9343938F7080DBC31D4719C95039BB7E0978FF89B62F08B4AF36241973D889195D4F4F8F9D2F39FFD4180F84401F25E622C9B4781D551A1A739C778182395D8EF2CC9AEDEAB038E9FD0D019135F69F52F83ED8E8DA3C70953C1DFB0D02FB939EECBA9A4E7F2B9A8D55B79D88F15B27E675F635D387EDC45EAD4EA46C96E73D34CA5D82747AC2ECF999BE316BB41193DDDE4AB426F3A319ABD23FD9C7D0FD48F7511730CA60286AC1434D0368A23F8B8999DCAD316537591CFBE02975A6207958BCAE4A7A2BC00A82529539F669EC33ED67717A802E470F65B9EB222C3E14555E3F0705649CEEAF45EE1CE3F2CBF7FDC06C23F5FFCB27C5ECB9B22A99127DD0189872AF49FC9AA0306AB0

BC AdBot (Login to Remove)


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 36,805 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:20 AM

Posted 21 October 2010 - 11:34 PM


You have posted a topic here: http://www.bleepingcomputer.com/forums/topic354453.html on this issue. Because you have this topic posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users