Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
6 Posts
Discussion Starter · #1 ·
I can not connect to any site security related.
(microsoft, symantec, norton, grisoft-avg,trendmicro)
I was able to download a-squared from download.com (cnet) but otherwise cannot really do anything.
Please tell me what i should do...
----------------------------
Edit: After scanning ive also realized ive picked up alot of trojans and bad stuff (at least 7 high risk) and also 200 tracking cookies (this comp was scanned very few times bc of W3 playing only really).

Also it says i have ROOTKITS!!!

HELP!!!!!

------------------
Hijack This Report
------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:06 PM, on 8/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.cyberdefender.com/smallsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Copy Handler] C:\Documents and Settings\Ronnie\My Documents\ch_1.exe
O4 - HKLM\..\Run: [Intelligent Copier] "C:\Program Files\Interdesigner Software\Intelligent Copier\IntelligentCopier.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\RunOnce: [InstallMotiveFromCW] C:\Program Files\verizon\FiOS\CW_Motive.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings/include/vzTCPConfig.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189896376998
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189897018858
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: secuload.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7069 bytes

----------------------------------------------------------------------

Also this is my hosts file (i recently looked in it but there wasnt much except the localhost so i also deleted that but i put it back when i saw i shouldnt)
-----------
HOSTS File
-----------
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

-------------------------

And also right now i managed to download AVG Free 8.5 Build 409
from some Hippo site and am going to install and run the scan.
----------------------------------------------------------------

Please HELP QUICK!!!

And also i when i ran the a squared scan i got this..
______________________________________________

wait...

oh yah i uninstalled a-squared but i got some tracking cookies and viruses and trojans.
it deleted all the stuff except some tracking cookies.

This included some Mozilla Firefox stuff and some gamespy stuff i think.

it said that it cannot delete some y..... .default in the mozilla folder and to ask the experts on the a-squared forum (i cant even get there)

and also the avg i had to download from some hippo site because the cnet avg download manager could not connect to the internet for some reason though i obviously can. (im typing this)...

Please help!!!!

Thanks

--------------------------------------------------------------------------------------------------------------
EDIT:
--------------------------------------------------------------------------------------------------------------

Not sure what i have. so im doing a gmer rootkit scan.
should i post the results and what other rootkit scans should i post.
i read i should use icesword. should i?

------------------------------------------------------------------------------------------------------------
About to post report from Gmer When its done.
Most likely going to scan with Panda AntiRoot Next.
------------------------------------------------------------------------------------------------------------

EDIT 3: On a maybe related note. My ports never show that they are open even when they are forwarded correctly and on a dmz for the router. Could a rootkit or virus or such be blocking them?
---------------------------------------------------------------------------------------------------------

I posted the Gmer Below. I also did a Panda ARK scan but it says that there was nothing wrong...
Post if you want the screenshot of that log.
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #3 ·
This is my gmer ark log. What should i do? it says there are rootkits...
_______________________________________________________________
GMER 1.0.15.15077 [bwsdhzux.exe] - http://www.gmer.net
Rootkit scan 2009-09-01 13:43:42
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT spes.sys ZwCreateKey [0xF99120E0] <-- ROOTKIT !!!
SSDT spes.sys ZwEnumerateKey [0xF9930CA2] <-- ROOTKIT !!!
SSDT spes.sys ZwEnumerateValueKey [0xF9931030] <-- ROOTKIT !!!
SSDT spes.sys ZwOpenKey [0xF99120C0] <-- ROOTKIT !!!
SSDT spes.sys ZwQueryKey [0xF9931108] <-- ROOTKIT !!!
SSDT spes.sys ZwQueryValueKey [0xF9930F88] <-- ROOTKIT !!!
SSDT spes.sys ZwSetValueKey [0xF993119A] <-- ROOTKIT !!!
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF3991F20] <-- ROOTKIT !!!

INT 0x62 ? 81B8DBF8
INT 0x82 ? 81B8DBF8
INT 0xA4 ? 819B4D28
INT 0xB4 ? 819B4D28
---- Kernel code sections - GMER 1.0.15 ----

? spes.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F892E62C 5 Bytes JMP 819B4308
.text adwn2w6z.SYS F8875384 1 Byte [20]
.text adwn2w6z.SYS F8875384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text adwn2w6z.SYS F88753AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text adwn2w6z.SYS F88753C4 3 Bytes [00, 00, 00]
.text adwn2w6z.SYS F88753C9 1 Byte [00]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[736] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 01649DB4
.text C:\WINDOWS\System32\svchost.exe[736] NETAPI32.dll!NetpwPathCanonicalize 5B86A0F9 5 Bytes JMP 01649D54
.text C:\WINDOWS\System32\svchost.exe[780] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 00639DB4

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 81B922D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F9943C4C] spes.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F9943CA0] spes.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F9913040] spes.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F991313C] spes.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F99130BE] spes.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F99137FC] spes.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F99136D2] spes.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F9923048] spes.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 819B4408
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!RtlInitUnicodeString] 9252D2DB
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!swprintf] [804FC5C0] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KeSetEvent] 8E44C8C9
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoCreateSymbolicLink] A475EBF6
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoGetConfigurationInformation] AA7EE6FF
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] B863F1E4
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!MmFreeMappingAddress] B668FCED
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 0CB1670A
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 02BA6A03
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!MmUnmapIoSpace] 10A77D18
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 1EAC7011
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IofCompleteRequest] 349D532E
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 3A965E27
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IofCallDriver] 288B493C
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 26804435
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 7CE90F42
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoConnectInterrupt] 72E2024B
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoDetachDevice] 60FF1550
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KeWaitForSingleObject] 6EF41859
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KeInitializeEvent] 44C53B66
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 4ACE366F
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!RtlInitAnsiString] 58D32174
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 56D82C7D
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoQueueWorkItem] 377A0CA1
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!MmMapIoSpace] 397101A8
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 2B6C16B3
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoReportDetectedDevice] 25671BBA
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoReportResourceForDetection] 0F563885
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 015D358C
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!NlsMbCodePageTag] 13402297
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!PoRequestPowerIrp] 1D4B2F9E
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 472264E9
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 492969E0
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!sprintf] 5B347EFB
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 553F73F2
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!ObfDereferenceObject] 7F0E50CD
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 71055DC4
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 63184ADF
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!ZwClose] 6D1347D6
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] D7CADC31
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] D9C1D138
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] CBDCC623
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!PoStartNextPowerIrp] C5D7CB2A
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!PoCallDriver] EFE6E815
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoCreateDevice] E1EDE51C
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] F3F0F207
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!RtlQueryRegistryValues] FDFBFF0E
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!ZwOpenKey] A792B479
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!RtlFreeUnicodeString] A999B970
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoStartTimer] BB84AE6B
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KeInitializeTimer] B58FA362
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoInitializeTimer] 9FBE805D
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KeInitializeDpc] 91B58D54
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KeInitializeSpinLock] 83A89A4F
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoInitializeIrp] 8DA39746
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!ZwCreateKey] 00000063
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 0000007C
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 00000077
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!ZwSetValueKey] 0000007B
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KeInsertQueueDpc] 000000F2
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 0000006B
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoStartPacket] 0000006F
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 000000C5
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 00000030
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoFreeMdl] 00000001
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!MmUnlockPages] 00000067
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 0000002B
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 000000FE
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 000000D7
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 000000AB
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KeSynchronizeExecution] 00000076
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoStartNextPacket] 000000CA
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KeBugCheckEx] 00000082
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 000000C9
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KeSetTimer] 0000007D
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KeCancelTimer] 000000FA
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!_allmul] 00000059
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!MmProbeAndLockPages] 00000047
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!_except_handler3] 000000F0
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!PoSetPowerState] 000000AD
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 000000D4
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 000000A2
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!_aulldiv] 000000AF
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!strstr] 0000009C
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!_strupr] 000000A4
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KeQuerySystemTime] 00000072
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 000000C0
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!KeTickCount] 000000B7
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 000000FD
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoDeleteDevice] 00000093
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 00000026
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00000036
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoAllocateIrp] 0000003F
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoAllocateMdl] 000000F7
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 000000CC
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!MmLockPagableDataSection] 00000034
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 000000A5
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 000000E5
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!ExFreePoolWithTag] 000000F1
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoFreeIrp] 00000071
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!IoFreeWorkItem] 000000D8
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!InitSafeBootMode] 00000031
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!RtlCompareMemory] 00000015
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 00000004
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!memmove] 000000C7
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[ntoskrnl.exe!MmHighestUserAddress] 00000023
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[HAL.dll!KfAcquireSpinLock] 0A64D90F
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[HAL.dll!READ_PORT_UCHAR] 046FD406
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[HAL.dll!KeGetCurrentIrql] 1672C31D
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[HAL.dll!KfRaiseIrql] 1879CE14
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[HAL.dll!KfLowerIrql] 3248ED2B
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[HAL.dll!HalGetInterruptVector] 3C43E022
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[HAL.dll!HalTranslateBusAddress] 2E5EF739
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[HAL.dll!KeStallExecutionProcessor] 2055FA30
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[HAL.dll!KfReleaseSpinLock] EC01B79A
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] E20ABA93
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[HAL.dll!READ_PORT_USHORT] F017AD88
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] FE1CA081
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[HAL.dll!WRITE_PORT_UCHAR] D42D83BE
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[WMILIB.SYS!WmiSystemControl] C83B99AC
IAT \SystemRoot\System32\Drivers\adwn2w6z.SYS[WMILIB.SYS!WmiCompleteRequest] C63094A5

(2nd part of the Log is below)
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #4 ·
The 2nd part of the Gmer Ark Log.

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 81B8B1F8
Device \FileSystem\Fastfat \FatCdrom 81A3B1F8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-0 819B31F8
Device \Driver\usbuhci \Device\USBPDO-1 819B31F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 81B8E1F8
Device \Driver\dmio \Device\DmControl\DmConfig 81B8E1F8
Device \Driver\dmio \Device\DmControl\DmPnP 81B8E1F8
Device \Driver\dmio \Device\DmControl\DmInfo 81B8E1F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 81B8F1F8
Device \Driver\Cdrom \Device\CdRom0 81A0F1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 81B8D1F8
Device \Driver\atapi \Device\Ide\IdePort0 81B8D1F8
Device \Driver\atapi \Device\Ide\IdePort1 81B8D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e 81B8D1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 817C61F8
Device \Driver\sptd \Device\697948938 spes.sys
Device \Driver\PCI_PNP0188 \Device\0000004b spes.sys

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 819B31F8
Device \Driver\usbuhci \Device\USBFDO-1 819B31F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8165F500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8165F500
Device \Driver\Ftdisk \Device\FtControl 81B8F1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2A18C7A4-9D2A-4733-8DF9-99BBB9AEFDF4} 817C61F8
Device \Driver\adwn2w6z \Device\Scsi\adwn2w6z1 819361F8
Device \FileSystem\Fastfat \Fat 81A3B1F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 816471F8

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] krgzfgt <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Time Boot
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\krgzfgt\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\krgzfgt\[email protected] C:\WINDOWS\system32\uadazw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0xA1 0xA2 0x7B 0x1B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0x3E 0x15 0x1D 0x1C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0x61 0x5B 0x86 0x48 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0xB7 0x8F 0xD0 0xD5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0xD9 0xF9 0x60 0x11 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0xD9 0xF9 0x60 0x11 ...
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] Time Boot
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 32
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 2
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 0
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet003\Services\krgzfgt\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\krgzfgt\[email protected] C:\WINDOWS\system32\uadazw.dll
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\[email protected] 0xA1 0xA2 0x7B 0x1B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\[email protected] C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\[email protected] 0x3E 0x15 0x1D 0x1C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0x61 0x5B 0x86 0x48 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0xB7 0x8F 0xD0 0xD5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0xD9 0xF9 0x60 0x11 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\[email protected] 0xD9 0xF9 0x60 0x11 ...
---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 16: copy of MBR

---- EOF - GMER 1.0.15 ----
_______________________________________________________________
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top