Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet connection acting strange/cant open Adminastrive tools?


  • Please log in to reply
No replies to this topic

#1 Pajajn

Pajajn

  • Members
  • 357 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:11:45 PM

Posted 12 February 2011 - 03:49 PM

Hi everyone, this started today morning
Ive had troubles with the internet whole day losing connection, cant login to router and cant open certain files like Adminastrive Tools in controlpanel

Am i infected by a SSDT attack? i ran GMER and found these strange types

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-12 22:01:45
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HD103SJ rev.1AJ10001
Running: 1m54bt4t.exe; Driver: C:\DOCUME~1\Removed\LOCALS~1\Temp\kgkcapoc.sys


---- System - GMER 1.0.15 ----

SSDT            89B2A050                                                                                     ZwAlertResumeThread
SSDT            894AB050                                                                                     ZwAlertThread
SSDT            89460740                                                                                     ZwAllocateVirtualMemory
SSDT            8951F050                                                                                     ZwAssignProcessToJobObject
SSDT            89B9A588                                                                                     ZwConnectPort
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)   ZwCreateKey [0xB280C210]
SSDT            89455780                                                                                     ZwCreateMutant
SSDT            8944FD38                                                                                     ZwCreateSymbolicLinkObject
SSDT            89B44D38                                                                                     ZwCreateThread
SSDT            894A8050                                                                                     ZwDebugActiveProcess
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)   ZwDeleteKey [0xB280C490]
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)   ZwDeleteValueKey [0xB280C9F0]
SSDT            89460958                                                                                     ZwDuplicateObject
SSDT            894600E0                                                                                     ZwFreeVirtualMemory
SSDT            89B29050                                                                                     ZwImpersonateAnonymousToken
SSDT            894AA050                                                                                     ZwImpersonateThread
SSDT            89BD8730                                                                                     ZwLoadDriver
SSDT            8945FF30                                                                                     ZwMapViewOfSection
SSDT            89B28050                                                                                     ZwOpenEvent
SSDT            89460C38                                                                                     ZwOpenProcess
SSDT            89B140C0                                                                                     ZwOpenProcessToken
SSDT            89B26050                                                                                     ZwOpenSection
SSDT            89460AE8                                                                                     ZwOpenThread
SSDT            89450430                                                                                     ZwProtectVirtualMemory
SSDT            89523050                                                                                     ZwResumeThread
SSDT            89524050                                                                                     ZwSetContextThread
SSDT            8945FCD8                                                                                     ZwSetInformationProcess
SSDT            89B08050                                                                                     ZwSetSystemInformation
SSDT            \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)   ZwSetValueKey [0xB280CC40]
SSDT            89B27050                                                                                     ZwSuspendProcess
SSDT            89B2B050                                                                                     ZwSuspendThread
SSDT            89AF9A00                                                                                     ZwTerminateProcess
SSDT            89B0B050                                                                                     ZwTerminateThread
SSDT            894AD050                                                                                     ZwUnmapViewOfSection
SSDT            894602F0                                                                                     ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwCallbackReturn + 2D94                                                         80503C70 4 Bytes  CALL 38D9827F 
?               SYMDS.SYS                                                                                    The system cannot find the file specified. !
?               SYMEFA.SYS                                                                                   The system cannot find the file specified. !
.text           C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                     section is writeable [0xB53F53A0, 0x5CC319, 0xE8000020]
pnidata         C:\WINDOWS\system32\DRIVERS\secdrv.sys                                                       unknown last section [0xB0ED2F00, 0x24000, 0x48000000]

---- User code sections - GMER 1.0.15 ----

.text           C:\Program Files\Mozilla Firefox\firefox.exe[3372] ntdll.dll!RtlValidateUnicodeString + 553  7C9161C5 10 Bytes  JMP 0202003A 

---- Devices - GMER 1.0.15 ----

Device                                                                                                       Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                     SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                    SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                    SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                  SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device                                                                                                       mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device                                                                                                       Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----



Managed to get it open with cmd command and this is what shows in the
System log: http://img98.imageshack.us/i/systemlog.jpg/
Application log: http://img707.imageshack.us/i/applicationlog.jpg/

I have Norton Internet Security 2011 installed * and windows firewall off

could anyone analyse my computer for infections or rootkit or other attacks? ive posted a GMER log *

Thanks everyone

Edited by Orange Blossom, 25 November 2012 - 10:51 PM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users