Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

avira 'access denied' and hooked func.


  • This topic is locked This topic is locked
2 replies to this topic

#1 leker

leker

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 09 June 2011 - 02:30 PM

hi to all,

Mod Edit: Merged 3 posts ~ Hamluis.

since 3-4 weeks avira popups every 15-30 min with this
message:
a virus or unwanted program 'TR/SPY.GEN2' was found in file
'F:\Program Files\Comodo\COMODO Internet Security\Quarantine\Temp\CAV4C4.tmp'
Access to this file was denied.

and this message:
Antivir guard detected 2 viruses or unwanted program.
Access was denied.

i opened comodo and looked at Quarantine, it was emty.
i have reinstall comodo but same.

yesterday i started Helios (an old prog ) and get the massage:

52 hooked func
and
many hidden progresses

Today i run rootrepeal.

the report is attached.


sorry for bad english.





ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2011/06/09 20:11
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: F:\DOCUME~1\lexp\LOCALS~1\Temp\catchme.sys
Address: 0xBA430000 Size: 31744 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: F:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xBA640000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: F:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA4082000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: F:\WINDOWS\PEV.exe
Status: Locked to the Windows API!

Path: F:\Program Files\COMODO\COMODO Internet Security\Quarantine
Status: Locked to the Windows API!

Path: F:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
Status: Locked to the Windows API!

Path: \\?\F:\Program Files\COMODO\COMODO Internet Security\Quarantine\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: F:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp
Status: Invisible to the Windows API!

Path: \\?\F:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: F:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd
Status: Invisible to the Windows API!

Path: \\?\F:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: F:\Documents and Settings\lexp\Local Settings\Apps\2.0\3T0DBH7A.QO9\RHM0JL7E.OY4\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: F:\Documents and Settings\lexp\Local Settings\Apps\2.0\3T0DBH7A.QO9\RHM0JL7E.OY4\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cd8b2

#: 031 Function Name: NtConnectPort
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cce48

#: 037 Function Name: NtCreateFile
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cd518

#: 041 Function Name: NtCreateKey
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81ce126

#: 046 Function Name: NtCreatePort
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81ccd28

#: 050 Function Name: NtCreateSection
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d01e0

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d0568

#: 053 Function Name: NtCreateThread
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cc714

#: 063 Function Name: NtDeleteKey
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cda9e

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cdc9e

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cc51a

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81ce864

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81ceaba

#: 097 Function Name: NtLoadDriver
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cfbf0

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cd110

#: 116 Function Name: NtOpenFile
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cd6f4

#: 119 Function Name: NtOpenKey
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81ce116

#: 122 Function Name: NtOpenProcess
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cc148

#: 125 Function Name: NtOpenSection
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cd3b4

#: 128 Function Name: NtOpenThread
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cc34c

#: 160 Function Name: NtQueryKey
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cecc8

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cf11c

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81ceeda

#: 192 Function Name: NtRenameKey
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81ce67c

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cf68c

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cf940

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cdeee

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cfee8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81ce3f4

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cd07a

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cd2a0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81ccb2a

#: 258 Function Name: NtTerminateThread
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81cc918

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d2788

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d3034

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d28c8

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d2eee

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d2a14

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d2b54

#: 310 Function Name: NtUserBlockInput
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d2600

#: 319 Function Name: NtUserCallHwndParamLock
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d1648

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d22a6

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d2c9a

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d1fee

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d2142

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d1c78

#: 465 Function Name: NtUserMoveWindow
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d1344

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d1902

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d1abc

#: 490 Function Name: NtUserRegisterHotKey
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d2dbe

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d240a

#: 502 Function Name: NtUserSendInput
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d1e80

#: 509 Function Name: NtUserSetClipboardViewer
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d2508

#: 529 Function Name: NtUserSetParent
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d14d4

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d3072

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d3308

#: 559 Function Name: NtUserSystemParametersInfo
Status: Hooked by "F:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa81d17e6

==EOF==

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

i have run combofix and get this warning:

found rootkit zero access in tcp/ip stack

iwill post all logs.

i have run combofix twice.
first time i run combofix it has delete the file F:\WINDOWS\system32\1055\dwintl.dll
but cant delete path F:\WINDOWS\system32\1055

i have run combofix twice.
first time it deletes F:\WINDOWS\system32\1055\dwintl.dll
but cant delete directory F:\WINDOWS\system32\1055\

Attached Files


Edited by hamluis, 11 June 2011 - 11:15 AM.


BC AdBot (Login to Remove)

 


#2 leker

leker
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 13 June 2011 - 01:22 PM

hi,

please close topic. i get help from doctus.org

thanks

#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:03:48 PM

Posted 13 June 2011 - 01:44 PM

Thanks for letting us know.

This thread will now be closed.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users