Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake system warning msgs


  • This topic is locked This topic is locked
1 reply to this topic

#1 damiths

damiths

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 08 August 2011 - 09:24 AM

Lately I have been getting fake system warnings and Error reports that causes pop ups every miniute or so to appear in my tray.

Warnings say things like

System Warning - Keep your computer safe from viruses and malicious programs

System warning - Spyware protection is disabled. Your personal data is at high risk of being stolen and misused

Error - Your computer is infected with Spyware! Detected malicious programs can damage your computer and compromise your privacy. It is strongly recommended to remove them immediately.

Usually I can click OK on these pop ups and nothing happens. But they appear over and over again making the PC very slow.

I run Win XP / SP3.

Tried to run the DDS log but it appeared for a min and closed when I double clicked on the file.

Below in the GMER log.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-09 00:23:25
Windows 5.1.2600 Service Pack 3, v.6055 Harddisk0\DR0 -> \Device\Ide\IdePort2 WDC_WD400BB-00JHC0 rev.05.01C05
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kfadiaob.sys


---- System - GMER 1.0.15 ----

SSDT spqz.sys ZwCreateKey [0xF73E70E0]
SSDT spqz.sys ZwEnumerateKey [0xF73FFDA4]
SSDT spqz.sys ZwEnumerateValueKey [0xF7400132]
SSDT spqz.sys ZwOpenKey [0xF73E70C0]
SSDT spqz.sys ZwQueryKey [0xF740020A]
SSDT spqz.sys ZwQueryValueKey [0xF740008A]
SSDT spqz.sys ZwSetValueKey [0xF740029C]

INT 0x62 ? 8438BBF8
INT 0x73 ? 84319BF8
INT 0x82 ? 8438BBF8
INT 0x83 ? 8438BBF8
INT 0x83 ? 8438BBF8
INT 0x83 ? 84319BF8
INT 0x83 ? 8438BBF8
INT 0xB4 ? 84319BF8

---- Kernel code sections - GMER 1.0.15 ----

? spqz.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F719E8AC 5 Bytes JMP 843191D8
.text af5j765r.SYS F714D386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text af5j765r.SYS F714D3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text af5j765r.SYS F714D3C4 3 Bytes [00, 80, 02]
.text af5j765r.SYS F714D3C9 1 Byte [30]
.text af5j765r.SYS F714D3C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0152000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[376] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0153000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[376] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0151000C
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1040] USER32.dll!SetWindowLongA 7E41DE3D 5 Bytes JMP 1068EDA6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1040] USER32.dll!SetWindowLongW 7E41DE5B 5 Bytes JMP 1068ED38 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1040] USER32.dll!GetWindowInfo 7E41E142 5 Bytes JMP 104A5451 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1040] USER32.dll!TrackPopupMenu 7E465316 5 Bytes JMP 104A5A99 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E0000A
.text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E1000A
.text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DF000C
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!GetCursorPos 7E41BD6E 5 Bytes JMP 01A7000A
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!WindowFromPoint 7E41BD86 5 Bytes JMP 01A8000A
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!GetForegroundWindow 7E41BE43 5 Bytes JMP 01A9000A
.text C:\WINDOWS\system32\svchost.exe[1044] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 01A6000A
.text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA000A
.text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BB000A
.text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B9000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 843891F8
Device \FileSystem\Fastfat \FatCdrom 8400C1F8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\PCI_PNP8132 \Device\00000040 spqz.sys
Device \Driver\PCI_PNP8132 \Device\00000040 spqz.sys
Device \Driver\usbuhci \Device\USBPDO-0 8433E1F8
Device \Driver\usbuhci \Device\USBPDO-1 8433E1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8438C1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8438C1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8438C1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8438C1F8
Device \Driver\usbuhci \Device\USBPDO-2 8433E1F8
Device \Driver\usbuhci \Device\USBPDO-3 8433E1F8
Device \Driver\usbehci \Device\USBPDO-4 8433A1F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8438D1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8438D1F8
Device \Driver\Cdrom \Device\CdRom0 843181F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8428731B
Device \Driver\atapi \Device\Ide\IdePort0 [F733BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-1b 8428731B
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-1b [F733BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8428731B
Device \Driver\atapi \Device\Ide\IdePort1 [F733BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8428731B
Device \Driver\atapi \Device\Ide\IdePort2 [F733BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8428731B
Device \Driver\atapi \Device\Ide\IdePort3 [F733BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T1L0-10 8428731B
Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-10 [F733BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T0L0-8 8428731B
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-8 [F733BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume3 8438D1F8
Device \Driver\Cdrom \Device\CdRom1 843181F8
Device \Driver\Cdrom \Device\CdRom2 843181F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 840621F8
Device \Driver\NetBT \Device\NetbiosSmb 840621F8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 8433E1F8
Device \Driver\usbuhci \Device\USBFDO-1 8433E1F8
Device \Driver\USBSTOR \Device\0000007b 83E9E1F8
Device \Driver\usbuhci \Device\USBFDO-2 8433E1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B8DA7D0F-61CD-413E-8F06-AD2FFC6C8F93} 840621F8
Device \Driver\USBSTOR \Device\0000007c 83E9E1F8
Device \Driver\usbuhci \Device\USBFDO-3 8433E1F8
Device \Driver\usbehci \Device\USBFDO-4 8433A1F8
Device \Driver\Ftdisk \Device\FtControl 8438D1F8
Device \Driver\sptd \Device\707291882 spqz.sys
Device \Driver\af5j765r \Device\Scsi\af5j765r1Port4Path0Target0Lun0 842061F8
Device \Driver\af5j765r \Device\Scsi\af5j765r1 842061F8
Device \FileSystem\Fastfat \Fat 8400C1F8
Device \FileSystem\Cdfs \Cdfs 8402A1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB5 0x85 0x09 0x74 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x95 0x5A 0x1B 0xCB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x00 0x0D 0x7C 0x40 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB5 0x85 0x09 0x74 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x95 0x5A 0x1B 0xCB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x00 0x0D 0x7C 0x40 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB32708$\2357857457 0 bytes
File C:\WINDOWS\$NtUninstallKB32708$\2357857457\L 0 bytes
File C:\WINDOWS\$NtUninstallKB32708$\2357857457\U 0 bytes
File C:\WINDOWS\$NtUninstallKB32708$\824289560 0 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:45 AM

Posted 08 August 2011 - 06:38 PM

As you are being helped here: http://www.bleepingcomputer.com/forums/topic413382.html I will close this topic.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users