Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I think I have the Win32.Bagle worm

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I think I have the Win32.Bagle worm

Unread postby Epic2112 » January 7th, 2007, 6:32 am

Hello everyone. I think I have the Win32.Bagle worm, although I am not sure. All of a sudden the exe for spybot S&D is gone, and reinstalling it does not work. My Zone Alarm is also gone, and I get an error when I try to reinstall it. AVG antivirus no longer runs in the background, and I cannot get it to. I also am nable to boot into safe mode; whenever I try to the computer just restarts when it should be loading windows. It will only let me boot if I select to run windows normally. Ad-aware does not find any errors. Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:28:26 AM, on 1/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\GetMail\GetMail.exe
C:\Program Files\EarthWatcher\EarthWatcher.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.straightdope.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [getmail] "C:\Program Files\GetMail\GetMail.exe"
O4 - HKCU\..\Run: [EarthWatcher] C:\Program Files\EarthWatcher\EarthWatcher.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download the &current page with Offline Explorer - file://C:\Program Files\Offline Explorer\Add_AllO.htm
O8 - Extra context menu item: Download using Offline &Explorer - file://C:\Program Files\Offline Explorer\Add_UrlO.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: HttpWatch - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwtch.dll
O9 - Extra 'Tools' menuitem: HttpWatch - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwtch.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4542921343
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)



Everything in there looks normal to me, but I don't know about this stuff, so any help is excellent.

A couple of times, when I hit ALT+CTRL+DEL, I see hldrrr.exe in the processes tab.

Thank you
Epic2112
Active Member
 
Posts: 14
Joined: January 7th, 2007, 5:54 am
Advertisement
Register to Remove

Unread postby John B. » January 7th, 2007, 7:27 am

Hi! :hello2: and welcome to the Malware Removal forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.
I am currently looking over your log. As I am a trainee, everything that I post to you must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long. I will post back shortly with a potential fix.

Please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby John B. » January 7th, 2007, 8:13 am

Hi,

I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.
The infection is delivered by Torpig
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:
  • The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
  • The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have a backdoor trojan, the worst kind.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.

While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby Epic2112 » January 7th, 2007, 2:47 pm

Hi John, thank you for your answer. Since this is just a home computer, I would like to try to clean it before I go about comletely reformatting the whole thing. I don't have any financial or personal information on it, other than things like my myspace password. I think the most sensitive password I have on the machine is my amazon.com password, and I do not believe I have logged on there since I have been infected.

I am not completely opposed to reformatting, but I would much prefer to avoid having to do so if at all possible.

What is my next step here?
Epic2112
Active Member
 
Posts: 14
Joined: January 7th, 2007, 5:54 am

Unread postby Epic2112 » January 8th, 2007, 5:36 am

OK, an update:

I think I have been able to get rid of the problem, but I would like you to have a look, since you are the expert. I know I cannot be sure that everything is fixed 100%, but here is a new HJT log, how does it look to you?

Logfile of HijackThis v1.99.1
Scan saved at 2:34:35 AM, on 1/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\GetMail\GetMail.exe
C:\Program Files\eMule\emule.exe
C:\Sysreset\mirc.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Last fm\LastFM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.straightdope.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [getmail] "C:\Program Files\GetMail\GetMail.exe"
O4 - HKCU\..\Run: [EarthWatcher] C:\Program Files\EarthWatcher\EarthWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download the &current page with Offline Explorer - file://C:\Program Files\Offline Explorer\Add_AllO.htm
O8 - Extra context menu item: Download using Offline &Explorer - file://C:\Program Files\Offline Explorer\Add_UrlO.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: HttpWatch - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwtch.dll
O9 - Extra 'Tools' menuitem: HttpWatch - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwtch.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4542921343
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Epic2112
Active Member
 
Posts: 14
Joined: January 7th, 2007, 5:54 am

Unread postby John B. » January 8th, 2007, 1:57 pm

Hi,

Step 1: Show your hidden files
To enable the viewing of Hidden files follow these steps:
  1. Close all programs so that you are at your desktop.
  2. Double-click on the My Computer icon (or click Start, then select My Computer)
  3. Select the Tools menu and click Folder Options.
  4. After the new window appears select the View tab.
  5. Put a checkmark in the checkbox labeled Display the contents of system folders.
  6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
  9. Press the Apply button and then the OK button and shutdown My Computer.
    Now your computer is configured to show all hidden files.


Step 2: Delete bad files
Use Explorer to navigate to and delete the following files (if present):

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll

Now just exit Explorer.

Step 3: Download and Run Gmer
Download Gmer to your Desktop and unzip it to your Desktop.
http://www.gmer.net/gmer.zip

Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe.
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click the rootkit tab
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

Click the >>> tab. This will open up all available tabs for you.
Click the Autostart tab then the scan button. Once its done click the Copy button and paste it into a new notepad document. Save that document to your desktop please.

Step 4: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply together with the Gmer log!

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby Epic2112 » January 8th, 2007, 2:32 pm

Thanks again for your time. Here are the logs:

This is the first GMER log:

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-08 11:25:57
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 60, 0C, F2, B2, E0, 6E, F2, ... ]
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 60, 0C, F2, B2, E0, 6E, F2, ... ]

---- Devices - GMER 1.0.12 ----

Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_CREATE [F88C666E] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_CREATE_NAMED_PIPE [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_CLOSE [F88C78A2] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_READ [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_WRITE [F88C7924] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_QUERY_INFORMATION [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_SET_INFORMATION [F88C7820] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_QUERY_EA [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_SET_EA [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_FLUSH_BUFFERS [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_QUERY_VOLUME_INFORMATION [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_SET_VOLUME_INFORMATION [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_DIRECTORY_CONTROL [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_FILE_SYSTEM_CONTROL [F88C7A26] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_DEVICE_CONTROL [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_INTERNAL_DEVICE_CONTROL [F88C66FA] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_SHUTDOWN [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_LOCK_CONTROL [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_CLEANUP [F88C779E] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_CREATE_MAILSLOT [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_QUERY_SECURITY [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_SET_SECURITY [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_POWER [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_SYSTEM_CONTROL [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_DEVICE_CHANGE [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_QUERY_QUOTA [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_SET_QUOTA [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter IRP_MJ_PNP [F88C79A6] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter FastIoCheckIfPossible [F88C7112] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter FastIoRead [F88C7154] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter FastIoWrite [F88C7196] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter FastIoQueryBasicInfo [F88C71DA] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter FastIoQueryStandardInfo [F88C7214] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter FastIoLock [F88C724E] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter FastIoUnlockSingle [F88C7292] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter FastIoUnlockAll [F88C72D0] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter FastIoUnlockAllByKey [F88C7304] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter FastIoDeviceControl [F88C733C] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter FastIoDetachDevice [F88C7382] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter FastIoQueryNetworkOpenInfo [F88C738E] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter MdlRead [F88C73C8] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter MdlReadComplete [F88C7408] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter PrepareMdlWrite [F88C743A] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter MdlWriteComplete [F88C747C] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter FastIoReadCompressed [F88C74B4] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter FastIoWriteCompressed [F88C74FC] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter MdlReadCompleteCompressed [F88C7546] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter MdlWriteCompleteCompressed [F88C7578] savonaccessfilter.sys
Device \FileSystem\SAVOnAccess Filter \Device\SAVOnAccessFilter FastIoQueryOpen [F88C75B0] savonaccessfilter.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F8A5085A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F8A5085A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [B2F322A0] vsdatant.sys
Device \FileSystem\SAVOnAccess Control \Device\SAVOnAccessControl IRP_MJ_CREATE [B2EB84F8] savonaccesscontrol.sys
Device \FileSystem\SAVOnAccess Control \Device\SAVOnAccessControl IRP_MJ_CLOSE [B2EB8590] savonaccesscontrol.sys
Device \FileSystem\SAVOnAccess Control \Device\SAVOnAccessControl IRP_MJ_READ [B2EB85D0] savonaccesscontrol.sys
Device \FileSystem\SAVOnAccess Control \Device\SAVOnAccessControl IRP_MJ_DEVICE_CONTROL [B2EBC2C6] savonaccesscontrol.sys
Device \FileSystem\SAVOnAccess Control \Device\SAVOnAccessControl FastIoRead [B2EB860E] savonaccesscontrol.sys
Device \FileSystem\SAVOnAccess Control \Device\SAVOnAccessControl FastIoWrite [B2EB866C] savonaccesscontrol.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F8A5085A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F8A5085A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [B2F322A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F8A5085A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [B2F322A0] vsdatant.sys

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Application Data\TEMP:FDBA7498

---- EOF - GMER 1.0.12 ----

This is the GMER autostart log:

GMER 1.0.12.12011 - http://www.gmer.net
Autostart scan 2007-01-08 11:27:16
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
ATI Smart /*ATI Smart*/@ = C:\WINDOWS\system32\ati2sgag.exe
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
AVGEMS /*AVG E-mail Scanner*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SunJavaUpdateSched"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" = "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
@MSConfigC:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
@Zone Labs Client"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
@AVG7_CCC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@getmail"C:\Program Files\GetMail\GetMail.exe" = "C:\Program Files\GetMail\GetMail.exe"
@EarthWatcherC:\Program Files\EarthWatcher\EarthWatcher.exe = C:\Program Files\EarthWatcher\EarthWatcher.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}C:\Program Files\Eudora\EuShlExt.dll /*file not found*/ = C:\Program Files\Eudora\EuShlExt.dll /*file not found*/
@{5BACC17E-BDF7-405B-BC68-ECB506395118}(null) =

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} /*Eudora's Shell Extension*/C:\Program Files\Eudora\EuShlExt.dll /*file not found*/ = C:\Program Files\Eudora\EuShlExt.dll /*file not found*/
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real Alternative\rpshell.dll = C:\Program Files\Real Alternative\rpshell.dll
@{FED7043D-346A-414D-ACD7-550D052499A7} /*dBpowerAMP Music Converter 1*/C:\Program Files\dBpowerAMP\dBShell.dll = C:\Program Files\dBpowerAMP\dBShell.dll
@{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} /*dBpowerAMP Music Converter*/C:\Program Files\dBpowerAMP\dMCShell.dll = C:\Program Files\dBpowerAMP\dMCShell.dll
@{D44E22BD-2D2C-4F13-BF1B-2DB458FD0C2C} /*KernelExtExt Extension*/C:\WINDOWS\System32\krnsvr32.dll /*file not found*/ = C:\WINDOWS\System32\krnsvr32.dll /*file not found*/
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Program Files\Grisoft\AVG Free\avgse.dll = C:\Program Files\Grisoft\AVG Free\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Program Files\Grisoft\AVG Free\avgse.dll = C:\Program Files\Grisoft\AVG Free\avgse.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
moveonboot_delete@{12B23346-6BD8-4812-BF8C-75E7C386ACB8} = C:\Program Files\GiPo@MoveOnBoot\mboot.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{53707962-6F74-2D53-2644-206D7942484F}C:\Program Files\Spybot - Search & Destroy\SDHelper.dll = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.straightdope.com/ = http://www.straightdope.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
Microsoft Office.lnk = Microsoft Office.lnk

---- EOF - GMER 1.0.12 ----

And here is the HJT uninstall list:

ACDSee 4.0.2 Trial Version
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Shockwave Player
Ahead Nero - Burning Rom
ATI Display Driver
AVG Free Edition
BSplayer
dBpowerAMP Music Converter
EarthWatcher 1.1.1
FLAC Installer 1.1.2a (remove only)
FLV Player 1.3.3
GetMail 3.2
GiPo@MoveOnBoot 1.9.5
Google Earth
HijackThis 1.99.1
HttpWatch 3.2.0.67
Intel A/V Codecs V2.0
Intel Application Accelerator
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
KeePass Password Safe 1.06
Last.fm 1.1.0.0
Microsoft Office 2000 Premium
mIRC
Mozilla Firefox (1.5.0.9)
Mozilla Thunderbird (1.5.0.9)
Mp3tag v2.37a
Music Label 2007 v13.0.1
PowerDVD
Quake III Arena
QuickTime Alternative 1.69
Real Alternative 1.29
Scrabble Blast Deluxe
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
SoulSeek Client 156c
Spybot - Search & Destroy 1.4
Trillian
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Wireless PCI Card Configuration Utility
XP Codec Pack
ZoneAlarm
Zortam ID3 Tag Editor
Epic2112
Active Member
 
Posts: 14
Joined: January 7th, 2007, 5:54 am

Unread postby Epic2112 » January 9th, 2007, 3:42 am

I should also mention that if I try to boot into safe mode, the computer still jst begins to boot for a few seconds, and then restarts.
Epic2112
Active Member
 
Posts: 14
Joined: January 7th, 2007, 5:54 am

Unread postby John B. » January 10th, 2007, 11:13 am

Hi,

I'm sorry for the delay, I had to do some research :)

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 60, 0C, F2, B2, E0, 6E, F2, ... ]
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 60, 0C, F2, B2, E0, 6E, F2, ... ]

This means there's something wrong with the ntoskrnl.exe from Windows. Luckily there's always a back up.

Step 1: Replace a file
  • Go to C:\Windows\Driver Cache\i386\
  • Select ntoskrnl.exe and press Ctrl + c
  • Go to C:\windows\system32\
  • Press Ctrl + v and click OK to overwrite
Step 2: Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java(TM) SE Runtime Environment 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Step 3: Run Gmer
Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe.
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click the rootkit tab
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

Click the >>> tab. This will open up all available tabs for you.
Click the Autostart tab then the scan button. Once its done click the Copy button and paste it into a new notepad document. Save that document to your desktop please.

Step 4: Post logs
* Gmer log
* Tell me if you're still having any problems

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby Epic2112 » January 11th, 2007, 3:51 am

Hi John, here are the logs. There is one problem that I have found: I am still unable to boot into safe mode. If I try to boot into any safe mode, the computer begins to boot, but resets itself and I am brought back to the screen where I can choose to boot into safe mode, normally, etc. The only way I am able to boot is normally.

Here is the gmer log:

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-11 00:29:45
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes CALL 68BD0817
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes CALL 68BD0817

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F8ACC85A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F8ACC85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F8ACC85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F8ACC85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [B2E922A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F8ACC85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [B2E922A0] vsdatant.sys

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Application Data\TEMP:FDBA7498

---- EOF - GMER 1.0.12 ----


and the autostart log:

GMER 1.0.12.12011 - http://www.gmer.net
Autostart scan 2007-01-11 00:34:57
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
ATI Smart /*ATI Smart*/@ = C:\WINDOWS\system32\ati2sgag.exe
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
AVGEMS /*AVG E-mail Scanner*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MSConfigC:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
@Zone Labs Client"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
@AVG7_CCC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
@SunJavaUpdateSched"C:\Program Files\Java\jre1.6.0\bin\jusched.exe" = "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@getmail"C:\Program Files\GetMail\GetMail.exe" = "C:\Program Files\GetMail\GetMail.exe"
@EarthWatcherC:\Program Files\EarthWatcher\EarthWatcher.exe = C:\Program Files\EarthWatcher\EarthWatcher.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}C:\Program Files\Eudora\EuShlExt.dll /*file not found*/ = C:\Program Files\Eudora\EuShlExt.dll /*file not found*/
@{5BACC17E-BDF7-405B-BC68-ECB506395118}(null) =

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} /*Eudora's Shell Extension*/C:\Program Files\Eudora\EuShlExt.dll /*file not found*/ = C:\Program Files\Eudora\EuShlExt.dll /*file not found*/
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real Alternative\rpshell.dll = C:\Program Files\Real Alternative\rpshell.dll
@{FED7043D-346A-414D-ACD7-550D052499A7} /*dBpowerAMP Music Converter 1*/C:\Program Files\dBpowerAMP\dBShell.dll = C:\Program Files\dBpowerAMP\dBShell.dll
@{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} /*dBpowerAMP Music Converter*/C:\Program Files\dBpowerAMP\dMCShell.dll = C:\Program Files\dBpowerAMP\dMCShell.dll
@{D44E22BD-2D2C-4F13-BF1B-2DB458FD0C2C} /*KernelExtExt Extension*/C:\WINDOWS\System32\krnsvr32.dll /*file not found*/ = C:\WINDOWS\System32\krnsvr32.dll /*file not found*/
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Program Files\Grisoft\AVG Free\avgse.dll = C:\Program Files\Grisoft\AVG Free\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Program Files\Grisoft\AVG Free\avgse.dll = C:\Program Files\Grisoft\AVG Free\avgse.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
moveonboot_delete@{12B23346-6BD8-4812-BF8C-75E7C386ACB8} = C:\Program Files\GiPo@MoveOnBoot\mboot.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{53707962-6F74-2D53-2644-206D7942484F}C:\Program Files\Spybot - Search & Destroy\SDHelper.dll = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.6.0\bin\ssv.dll = C:\Program Files\Java\jre1.6.0\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.straightdope.com/ = http://www.straightdope.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
Microsoft Office.lnk = Microsoft Office.lnk

---- EOF - GMER 1.0.12 ----


Thanks
Epic2112
Active Member
 
Posts: 14
Joined: January 7th, 2007, 5:54 am

Unread postby John B. » January 11th, 2007, 3:56 pm

Hi,

We're going on searching for the 'abnormal termination' issue.

Make a Bootlog
A bootlog is a file where windows writes down which drivers are loaded and which not during startup.
Using Windows explorer, see if you find c:\windows\ntbtlog.txt - If it exists, delete the file.
  • Click Start then Run and type in msconfig in the edit box and hit Enter or click Ok
  • Click on the boot.ini tab and check the box that says /BOOTLOG
  • Click Apply & Ok and reboot the PC (may take a bit longer to boot)
  • After it reboots, you will get a message that msconfig has been used to change your start settings.
  • In msconfig, Check Normal Startup on the GENERAL tab, and on the BOOT.INI tab, Uncheck /BOOTLOG. Click Apply, OK.
  • When a message asks if you want to Reboot now, Click Exit Without Reboot. You don't need to.
  • Using Windows Explorer, locate c:\windows\ntbtlog.txt and post the content of the file.

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby Epic2112 » January 17th, 2007, 2:02 pm

Hi John, sorry it took me so long, I was out of town for a few days. Here is the bootlog:

Service Pack 2 1 17 2007 10:55:45.500
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\System32\DRIVERS\1394BUS.SYS
Loaded driver pciide.sys
Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Loaded driver intelide.sys
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver IdeBusDr.sys
Loaded driver VolSnap.sys
Loaded driver IdeChnDr.sys
Loaded driver atapi.sys
Loaded driver fasttx2k.sys
Loaded driver \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
Loaded driver disk.sys
Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver PxHelp20.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver srescan.sys
Loaded driver Mup.sys
Loaded driver agp440.sys
Loaded driver \SystemRoot\System32\DRIVERS\intelppm.sys
Loaded driver \SystemRoot\System32\DRIVERS\ati2mtag.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbuhci.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\System32\DRIVERS\b57xp32.sys
Loaded driver \SystemRoot\System32\DRIVERS\USRpdA.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\DRIVERS\serial.sys
Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\gameenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\drivers\smwdm.sys
Loaded driver \SystemRoot\system32\drivers\aeaudio.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\DRIVERS\AvgAsCln.sys
Loaded driver \SystemRoot\System32\Drivers\avgclean.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\vsdatant.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\avg7core.sys
Loaded driver \SystemRoot\System32\Drivers\avg7rsw.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\System32\Drivers\avg7rsxp.sys
Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \SystemRoot\System32\Drivers\avgtdi.sys
Did not load driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \??\C:\WINDOWS\system32\drivers\hardlock.sys
Did not load driver \??\C:\WINDOWS\system32\MZU_DRV.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\tmcomm.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Epic2112
Active Member
 
Posts: 14
Joined: January 7th, 2007, 5:54 am

Unread postby John B. » January 18th, 2007, 11:56 am

Hi,

I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.
The infection is delivered by Troj/DwnLdr-FTB ( http://www.sophos.com/security/analyses ... drftb.html )
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

Fixing this probably isn't an option as this trojan is hiding other remote access trojans and we will never be able to tell you that you're computer is 100% clean!

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.

While you are thinking about ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know if you agree to Reformat and Re-install and I will help you how to do this good and safe!!

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby Epic2112 » January 18th, 2007, 3:19 pm

Hi John, it feels like we are going in circles :(. As I said before, this is a home computer that is used mostly for video games and listening to music, so tehre isn't any sensitive business or banking information on it. Is there any hope to cleaning it off?
Epic2112
Active Member
 
Posts: 14
Joined: January 7th, 2007, 5:54 am

Unread postby John B. » January 19th, 2007, 3:07 pm

Hi,

We're working on a fix at the moment as rootkits aren't easy to remove and we've got to be sure how to treat this thing. Please stay with us.

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 54 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware