Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ntoskrnl.exe Malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 Morgify

Morgify

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 12 February 2012 - 04:11 AM

After running a downloaded program my Norton Security Suite popped up with the following: TrojanZeroaccess!kmem found on notskml in my system32 folder, manual removal [through the antivirus program] did nothing, I was directed to download and run Trojan.Zeroaccess Removal Tool, this also failed to remove or detect anything wrong.

Since contracting the malware my google searches have been redirected and popups appear on sites popups never appeared before

A couple hours of searching the problem I downloaded and ran combofix, which I gave up on after the scan ran for an hour [it claimed 20 minutes max]
I've run Malwarebytes' Anti-Malware. After an 8-hour scan it found several problems but did not resolve my problem

Results of screen317's Security Check version 0.99.31
Windows Vista Service Pack 2 x86 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 29
Java™ 6 Update 6
Java version out of date!
Adobe Flash Player 10.0.32.18 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
``````````End of Log````````````


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19170
Run by Mike at 23:40:35 on 2012-02-11
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2813.1341 [GMT -8:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\atashost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Norton Security Suite\Engine\5.2.0.13\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Norton Security Suite\Engine\5.2.0.13\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.hotmail.com/
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - c:\program files\incredimail_mediabar_2\prxtbIncr.dll
uURLSearchHooks: H - No File
mURLSearchHooks: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - c:\program files\incredimail_mediabar_2\prxtbIncr.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.2.0.13\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.2.0.13\ips\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - c:\program files\incredimail_mediabar_2\prxtbIncr.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.2.0.13\coIEPlg.dll
TB: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - c:\program files\incredimail_mediabar_2\prxtbIncr.dll
TB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Download] "c:\users\mike\appdata\local\supportsoft\ddoctorv2\mike\ssGet.exe" 120 "http://pcmctbc.cmc.motive.com/motivedocs/EasySolveInstaller.exe" "EasySolveInstaller.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [cfFncEnabler.exe] cfFncEnabler.exe
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [<NO NAME>]
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\mike\appdata\roaming\micros~1\windows\startm~1\programs\startup\flipto~1.lnk - c:\program files\fliptoast\fliptoast.exe
StartupFolder: c:\users\mike\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{2863352B-78F6-4CA1-A9AD-693AF7C96463} : DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502000.00d\symds.sys [2012-2-8 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502000.00d\symefa.sys [2012-2-8 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20120207.003\BHDrvx86.sys [2012-2-9 820344]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20120210.002\IDSvix86.sys [2012-2-10 368248]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2008-6-16 20384]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502000.00d\ironx86.sys [2012-2-8 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0502000.00d\symtdiv.sys [2012-2-8 331384]
R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2010-3-4 20376]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-16 40960]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-11 652360]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.2.0.13\ccsvchst.exe [2012-2-8 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-4 106104]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-5-5 7168]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-11 20464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NecUsb3;USB3 Service;c:\windows\system32\svchost.exe -k NecUsb3Sevic [2008-1-20 21504]
S2 PASW;Process Activation Service;c:\windows\system32\psactive.exe [2012-2-8 5120]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2008-6-16 954368]
S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-8-17 23096]
S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [2008-8-17 3768]
S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-5-16 9216]
.
=============== Created Last 30 ================
.
2012-02-12 06:25:22 69632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPP9O.DLL
2012-02-12 06:25:22 27136 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPD9O.DLL
2012-02-12 06:21:46 236032 ----a-w- c:\windows\system32\CNMLM9O.DLL
2012-02-11 10:58:53 -------- d-----w- c:\users\mike\appdata\roaming\Malwarebytes
2012-02-11 10:58:45 -------- d-----w- c:\programdata\Malwarebytes
2012-02-11 10:58:44 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-11 10:58:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-11 09:21:06 518144 ----a-w- c:\windows\SWREG.exe
2012-02-11 09:21:06 256000 ----a-w- c:\windows\PEV.exe
2012-02-11 09:21:06 208896 ----a-w- c:\windows\MBR.exe
2012-02-11 09:21:05 98816 ----a-w- c:\windows\sed.exe
2012-02-11 07:54:26 -------- d-----w- c:\users\mike\appdata\roaming\FixZeroAccess
2012-02-11 07:39:09 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-09 08:34:45 -------- d-----w- c:\program files\Swarm Gold
2012-02-09 08:34:31 -------- d-----w- c:\program files\ReflexiveArcade
2012-02-09 03:20:47 -------- d-----w- c:\program files\Settlers3
2012-02-09 03:15:00 5120 ----a-w- c:\windows\system32\psactive.exe
2012-02-09 02:28:22 7584 ----a-w- c:\windows\system32\fxmemmap.vxd
2012-02-09 02:28:22 365568 ----a-w- c:\windows\system32\glide2x.dll
2012-02-09 02:27:56 -------- d-----w- c:\program files\Maxis
2012-02-09 02:13:02 -------- d-----w- c:\users\mike\appdata\roaming\Sammsoft
2012-02-09 01:53:11 -------- d-----w- c:\users\mike\appdata\roaming\OpenCandy
2012-02-09 01:53:07 -------- d-----w- c:\program files\BitTorrent
2012-02-09 01:51:59 -------- d-----w- c:\users\mike\appdata\roaming\BitTorrent
2012-02-08 08:42:49 331384 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symtdiv.sys
2012-02-08 08:42:49 299640 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symnets.sys
2012-02-08 08:42:48 744568 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symefa.sys
2012-02-08 08:42:48 516216 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\srtsp.sys
2012-02-08 08:42:48 50168 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\srtspx.sys
2012-02-08 08:42:48 340088 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symds.sys
2012-02-08 08:42:48 136312 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\ironx86.sys
2012-02-08 08:42:30 -------- d-----w- c:\windows\system32\drivers\n360\0502000.00D
2012-01-26 03:50:04 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-26 03:50:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-26 03:50:04 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-26 03:50:03 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-26 03:50:03 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-26 03:50:03 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-23 21:26:28 291600 ----a-w- c:\windows\system\WININET.DLL
.
==================== Find3M ====================
.
2011-11-27 05:48:54 249856 ------w- c:\windows\Setup1.exe
2011-11-27 05:48:52 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-11-25 15:59:48 376320 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 20:23:34 1205064 ----a-w- c:\windows\system32\ntdll.dll
2011-11-18 17:47:03 66560 ----a-w- c:\windows\system32\packager.dll
.
============= FINISH: 23:43:15.23 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-12 01:09:13
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1652GSX rev.LV010M
Running: gmer.exe; Driver: C:\Users\Mike\AppData\Local\Temp\pwtdypow.sys


---- System - GMER 1.0.15 ----

SSDT 8789A480 ZwAlertResumeThread
SSDT 8789A560 ZwAlertThread
SSDT 87865450 ZwAllocateVirtualMemory
SSDT 877BE918 ZwAlpcConnectPort
SSDT 878568D8 ZwAssignProcessToJobObject
SSDT 87856E80 ZwCreateMutant
SSDT 87868E38 ZwCreateSymbolicLinkObject
SSDT 87865CC0 ZwCreateThread
SSDT 878569B8 ZwDebugActiveProcess
SSDT 878655E0 ZwDuplicateObject
SSDT 87868518 ZwFreeVirtualMemory
SSDT 87856F70 ZwImpersonateAnonymousToken
SSDT 8789A3A0 ZwImpersonateThread
SSDT 877C0728 ZwLoadDriver
SSDT 87868418 ZwMapViewOfSection
SSDT 87856DA0 ZwOpenEvent
SSDT 87865780 ZwOpenProcess
SSDT 87865520 ZwOpenProcessToken
SSDT 87856BE0 ZwOpenSection
SSDT 878656B0 ZwOpenThread
SSDT 878567E8 ZwProtectVirtualMemory
SSDT 87856090 ZwResumeThread
SSDT 8789AF10 ZwSetContextThread
SSDT 878680D8 ZwSetInformationProcess
SSDT 87856A98 ZwSetSystemInformation
SSDT 87856CC0 ZwSuspendProcess
SSDT 8789BEB0 ZwSuspendThread
SSDT 87865DA0 ZwTerminateProcess
SSDT 8789AC60 ZwTerminateThread
SSDT 878682B8 ZwUnmapViewOfSection
SSDT 87865360 ZwWriteVirtualMemory
SSDT 87868F28 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 820E68A0 8 Bytes [80, A4, 89, 87, 60, A5, 89, ...] {AND BYTE [ECX+ECX*4-0x765a9f79], 0x87}
.text ntkrnlpa.exe!KeSetEvent + 131 820E68B4 4 Bytes [50, 54, 86, 87]
.text ntkrnlpa.exe!KeSetEvent + 13D 820E68C0 4 Bytes JMP CB81F040
.text ntkrnlpa.exe!KeSetEvent + 191 820E6914 4 Bytes [D8, 68, 85, 87]
.text ntkrnlpa.exe!KeSetEvent + 1F5 820E6978 4 Bytes [80, 6E, 85, 87] {SUB BYTE [ESI-0x7b], 0x87}
.text ...
.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8A153000, 0x4036D, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8A19C000, 0x510, 0x40000040]
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F002000, 0x1FB52A, 0xE8000020]
? C:\Users\Mike\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[888] ntdll.dll!NtProtectVirtualMemory 770B4BA4 5 Bytes JMP 06AA000A
.text C:\Windows\Explorer.EXE[888] ntdll.dll!NtWriteVirtualMemory 770B54E4 5 Bytes JMP 06B7000A
.text C:\Windows\Explorer.EXE[888] ntdll.dll!KiUserExceptionDispatcher 770B5C28 5 Bytes JMP 06A5000A
.text C:\Windows\system32\svchost.exe[1248] ntdll.dll!NtProtectVirtualMemory 770B4BA4 5 Bytes JMP 0118000A
.text C:\Windows\system32\svchost.exe[1248] ntdll.dll!NtWriteVirtualMemory 770B54E4 5 Bytes JMP 0119000A
.text C:\Windows\system32\svchost.exe[1248] ntdll.dll!KiUserExceptionDispatcher 770B5C28 5 Bytes JMP 0102000A
? C:\Windows\system32\svchost.exe[1248] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch;
.text C:\Program Files\Internet Explorer\iexplore.exe[4236] ntdll.dll!NtProtectVirtualMemory 770B4BA4 5 Bytes JMP 004C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4236] ntdll.dll!NtWriteVirtualMemory 770B54E4 5 Bytes JMP 00A5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4236] ntdll.dll!KiUserExceptionDispatcher 770B5C28 5 Bytes JMP 0045000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4236] USER32.dll!CreateWindowExW 76741305 5 Bytes JMP 713CDB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4236] USER32.dll!DialogBoxParamW 767610B0 5 Bytes JMP 712F5505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4236] USER32.dll!DialogBoxIndirectParamW 76762EF5 5 Bytes JMP 714C5397 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4236] USER32.dll!DialogBoxParamA 76778152 5 Bytes JMP 714C5334 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4236] USER32.dll!DialogBoxIndirectParamA 7677847D 5 Bytes JMP 714C53FA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4236] USER32.dll!MessageBoxIndirectA 7678D4D9 5 Bytes JMP 714C52C9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4236] USER32.dll!MessageBoxIndirectW 7678D5D3 5 Bytes JMP 714C525E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4236] USER32.dll!MessageBoxExA 7678D639 5 Bytes JMP 714C51FC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4236] USER32.dll!MessageBoxExW 7678D65D 5 Bytes JMP 714C519A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] ntdll.dll!NtProtectVirtualMemory 770B4BA4 5 Bytes JMP 0126000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] ntdll.dll!NtWriteVirtualMemory 770B54E4 5 Bytes JMP 0127000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] ntdll.dll!KiUserExceptionDispatcher 770B5C28 5 Bytes JMP 0121000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] USER32.dll!SetWindowsHookExW 767387AD 5 Bytes JMP 713C9AD1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] USER32.dll!CallNextHookEx 76738E3B 5 Bytes JMP 713BD13D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] USER32.dll!UnhookWindowsHookEx 767398DB 5 Bytes JMP 713346AE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] USER32.dll!CreateWindowExW 76741305 5 Bytes JMP 713CDB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] USER32.dll!DialogBoxParamW 767610B0 5 Bytes JMP 712F5505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] USER32.dll!DialogBoxIndirectParamW 76762EF5 5 Bytes JMP 714C5397 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] USER32.dll!DialogBoxParamA 76778152 5 Bytes JMP 714C5334 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] USER32.dll!DialogBoxIndirectParamA 7677847D 5 Bytes JMP 714C53FA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] USER32.dll!MessageBoxIndirectA 7678D4D9 5 Bytes JMP 714C52C9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] USER32.dll!MessageBoxIndirectW 7678D5D3 5 Bytes JMP 714C525E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] USER32.dll!MessageBoxExA 7678D639 5 Bytes JMP 714C51FC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] USER32.dll!MessageBoxExW 7678D65D 5 Bytes JMP 714C519A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] ole32.dll!OleLoadFromStream 75791E80 5 Bytes JMP 714C56FF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] ole32.dll!CoGetTreatAsClass + D2F 757AFAE3 7 Bytes JMP 029C003A
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] ole32.dll!CoCreateInstance 757C9F3E 5 Bytes JMP 713CDBA0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5452] ole32.dll!CoCreateInstance + 3E 757C9F7C 7 Bytes JMP 029C00F4
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] ntdll.dll!NtProtectVirtualMemory 770B4BA4 5 Bytes JMP 02A8000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] ntdll.dll!NtWriteVirtualMemory 770B54E4 5 Bytes JMP 02A9000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] ntdll.dll!KiUserExceptionDispatcher 770B5C28 5 Bytes JMP 0295000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] USER32.dll!SetWindowsHookExW 767387AD 5 Bytes JMP 713C9AD1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] USER32.dll!CallNextHookEx 76738E3B 5 Bytes JMP 713BD13D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] USER32.dll!UnhookWindowsHookEx 767398DB 5 Bytes JMP 713346AE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] USER32.dll!CreateWindowExW 76741305 5 Bytes JMP 713CDB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] USER32.dll!DialogBoxParamW 767610B0 5 Bytes JMP 712F5505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] USER32.dll!DialogBoxIndirectParamW 76762EF5 5 Bytes JMP 714C5397 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] USER32.dll!DialogBoxParamA 76778152 5 Bytes JMP 714C5334 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] USER32.dll!DialogBoxIndirectParamA 7677847D 5 Bytes JMP 714C53FA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] USER32.dll!MessageBoxIndirectA 7678D4D9 5 Bytes JMP 714C52C9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] USER32.dll!MessageBoxIndirectW 7678D5D3 5 Bytes JMP 714C525E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] USER32.dll!MessageBoxExA 7678D639 5 Bytes JMP 714C51FC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] USER32.dll!MessageBoxExW 7678D65D 5 Bytes JMP 714C519A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] ole32.dll!OleLoadFromStream 75791E80 5 Bytes JMP 714C56FF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] ole32.dll!CoGetTreatAsClass + D2F 757AFAE3 7 Bytes JMP 024F003A
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] ole32.dll!CoCreateInstance 757C9F3E 5 Bytes JMP 713CDBA0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5920] ole32.dll!CoCreateInstance + 3E 757C9F7C 7 Bytes JMP 024F00F2
.text C:\Windows\System32\ping.exe[6084] ntdll.dll!NtCreateProcess 770B4304 5 Bytes JMP 007C000A
.text C:\Windows\System32\ping.exe[6084] ntdll.dll!NtCreateProcessEx 770B4314 5 Bytes JMP 007D000A
.text C:\Windows\System32\ping.exe[6084] ntdll.dll!NtProtectVirtualMemory 770B4BA4 5 Bytes JMP 0020000A
.text C:\Windows\System32\ping.exe[6084] ntdll.dll!NtWriteVirtualMemory 770B54E4 5 Bytes JMP 0021000A
.text C:\Windows\System32\ping.exe[6084] ntdll.dll!NtCreateUserProcess 770B5674 5 Bytes JMP 007E000A
.text C:\Windows\System32\ping.exe[6084] ntdll.dll!KiUserExceptionDispatcher 770B5C28 5 Bytes JMP 001C000A
.text C:\Windows\System32\ping.exe[6084] USER32.dll!WindowFromPoint 7673884F 5 Bytes JMP 00AD000A
.text C:\Windows\System32\ping.exe[6084] USER32.dll!GetForegroundWindow 767432C4 5 Bytes JMP 00AE000A
.text C:\Windows\System32\ping.exe[6084] USER32.dll!GetCursorPos 76750B88 5 Bytes JMP 00AC000A
.text C:\Windows\System32\ping.exe[6084] ole32.dll!CoCreateInstance 757C9F3E 5 Bytes JMP 0081000A
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] ntdll.dll!NtProtectVirtualMemory 770B4BA4 5 Bytes JMP 0269000A
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] ntdll.dll!NtWriteVirtualMemory 770B54E4 5 Bytes JMP 0280000A
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] ntdll.dll!KiUserExceptionDispatcher 770B5C28 5 Bytes JMP 012C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] USER32.dll!SetWindowsHookExW 767387AD 5 Bytes JMP 713C9AD1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] USER32.dll!CallNextHookEx 76738E3B 5 Bytes JMP 713BD13D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] USER32.dll!UnhookWindowsHookEx 767398DB 5 Bytes JMP 713346AE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] USER32.dll!CreateWindowExW 76741305 5 Bytes JMP 713CDB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] USER32.dll!DialogBoxParamW 767610B0 5 Bytes JMP 712F5505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] USER32.dll!DialogBoxIndirectParamW 76762EF5 5 Bytes JMP 714C5397 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] USER32.dll!DialogBoxParamA 76778152 5 Bytes JMP 714C5334 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] USER32.dll!DialogBoxIndirectParamA 7677847D 5 Bytes JMP 714C53FA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] USER32.dll!MessageBoxIndirectA 7678D4D9 5 Bytes JMP 714C52C9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] USER32.dll!MessageBoxIndirectW 7678D5D3 5 Bytes JMP 714C525E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] USER32.dll!MessageBoxExA 7678D639 5 Bytes JMP 714C51FC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] USER32.dll!MessageBoxExW 7678D65D 5 Bytes JMP 714C519A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] ole32.dll!OleLoadFromStream 75791E80 5 Bytes JMP 714C56FF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] ole32.dll!CoGetTreatAsClass + D2F 757AFAE3 7 Bytes JMP 0292003A
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] ole32.dll!CoCreateInstance 757C9F3E 5 Bytes JMP 713CDBA0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[7464] ole32.dll!CoCreateInstance + 3E 757C9F7C 7 Bytes JMP 029200F2

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) 8F5BD000-8F5DC000 (126976 bytes)

---- Processes - GMER 1.0.15 ----

Process C:\Windows\System32\ping.exe (*** hidden *** ) 6084

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB26086$\2332482552 0 bytes
File C:\Windows\$NtUninstallKB26086$\977166296 0 bytes
File C:\Windows\$NtUninstallKB26086$\977166296\@ 2048 bytes
File C:\Windows\$NtUninstallKB26086$\977166296\cfg.ini 300 bytes
File C:\Windows\$NtUninstallKB26086$\977166296\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB26086$\977166296\L 0 bytes
File C:\Windows\$NtUninstallKB26086$\977166296\L\qnbwvoto 54784 bytes
File C:\Windows\$NtUninstallKB26086$\977166296\oemid 207 bytes
File C:\Windows\$NtUninstallKB26086$\977166296\U 0 bytes
File C:\Windows\$NtUninstallKB26086$\977166296\U\00000001.@ 2048 bytes
File C:\Windows\$NtUninstallKB26086$\977166296\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB26086$\977166296\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB26086$\977166296\U\80000000.@ 66560 bytes
File C:\Windows\$NtUninstallKB26086$\977166296\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB26086$\977166296\U\80000032.@ 73216 bytes
File C:\Windows\$NtUninstallKB26086$\977166296\version 856 bytes

---- EOF - GMER 1.0.15 ----


During GMER scan a message popped up on completion: Warning: GMER has found system modification caused by ROOTKIT activity.

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:16 PM

Posted 16 February 2012 - 09:54 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:16 PM

Posted 21 February 2012 - 09:40 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users