Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Laptop with trojans and spyware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby mdr » September 25th, 2007, 2:13 am

Well, I cleaned some things in the root of C: and ran Symantec after that.
It found nothing.
Another run with Kaspersky gave the following results. So, how to get rid of this last (left over) dll it found?

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, September 25, 2007 8:01:24 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 25/09/2007
Kaspersky Anti-Virus database records: 423071
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 55577
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:55:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\Eigenaar\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Eigenaar\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Eigenaar\Local Settings\Geschiedenis\History.IE5\MSHist012007092520070926\index.dat Object is locked skipped
C:\Documents and Settings\Eigenaar\Local Settings\Temp\~DF2FDD.tmp Object is locked skipped
C:\Documents and Settings\Eigenaar\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Eigenaar\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Eigenaar\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Eigenaar\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0036NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0763NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1FA7A7E6-3518-483B-B938-7146846C9B92}\RP2\A0000008.dll Infected: Trojan.Win32.BHO.dm skipped
C:\System Volume Information\_restore{1FA7A7E6-3518-483B-B938-7146846C9B92}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\UW-9F9E2F53B969.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
mdr
Regular Member
 
Posts: 23
Joined: September 13th, 2007, 11:19 am
Advertisement
Register to Remove

Unread postby Mr_JAk3 » September 25th, 2007, 2:07 pm

Hello :)

Ok good work.

So slow it is. YOu have some unnecessary programs loading with Windows. There is no need for the following to start automatically. If you want to free some memory and speed up the startup a bit, just fix the following entries with HijackThis (just my list, you may leave the ones that you want):
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe


Also here are some speeding tips -> Help! My computer is slow! by miekiemoes

Then the leftover. If everything is running fine you can clean the system restore.

You can remove the tools we used.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:


Stay clean and be safe ;)
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Unread postby mdr » September 30th, 2007, 7:20 am

OK, Kaspersky online finds nothing anymore, but I'm still not sure the computer is clean.
Symantec still gives a (temporary) pop-up from the windows security center that it has been disabled and I do not like the veeeeeery long disk activity.
So I ran the Rootkitrevealer downloaded from Microsoft and found a data mismatch in a file ggdaulpr.exe in the system32 folder. Also a lot of hidden Messenger files. Now, ggdaulpr.exe does not produce any hits in Google? Strange....
Furthermore, when I try to save the txt-file produced by Rootkitrevealer, the computer "hangs": the file isn't being saved and a svchost.exe process starts taking (and keeps taking forever) 99% CPU-time.
Any ideas?
mdr
Regular Member
 
Posts: 23
Joined: September 13th, 2007, 11:19 am

Unread postby Mr_JAk3 » September 30th, 2007, 10:25 am

Hi :)

Ok so you think there is something running in the background. We'll do a little research then.


Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Unread postby mdr » September 30th, 2007, 2:22 pm

Well, this is the result of the Gmer scan.

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-09-30 20:14:23
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT FFAACFD0 ZwAlertResumeThread
SSDT FFAAD8E0 ZwAlertThread
SSDT FFAAEB10 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT FFAACD30 ZwCreateMutant
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT FFAAECA0 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT FFAAE960 ZwFreeVirtualMemory
SSDT FFAACE10 ZwImpersonateAnonymousToken
SSDT FFAACEF0 ZwImpersonateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT FFAACC50 ZwOpenEvent
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT FFAAEBE0 ZwOpenProcessToken
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT FFAADDF0 ZwOpenThreadToken
SSDT FFAACB60 ZwQueryValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT FF8CFF38 ZwResumeThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT FFAADD10 ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT FFAADED0 ZwSetInformationProcess
SSDT FFAADC30 ZwSetInformationThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey
SSDT FFAACA80 ZwSuspendProcess
SSDT FFAADA28 ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT FFAADB50 ZwTerminateThread
SSDT FFAADF90 ZwUnmapViewOfSection
SSDT FFAAEA40 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.13 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 23EC 8050140C 12 Bytes [ 40, 6F, 37, F6, 50, D7, 37, ... ]
? srescan.sys Het systeem kan het opgegeven bestand niet vinden.
.text ntkrnlpa.exe!ZwYieldExecution + 28C4 8050140C 12 Bytes [ 40, 6F, 37, F6, 50, D7, 37, ... ]

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F637B6C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F637BBE0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F637BD40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F637B830] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F637B830] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F637B6C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F637BBE0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F637BD40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F637B6C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F637BD40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F637BBE0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F637B830] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F637BD40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F637BBE0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F637B6C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F637B830] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F637B6C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F637BBE0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F637BD40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F637B6C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F637B830] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F637BD40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F637BBE0] \SystemRoot\System32\vsdatant.sys

---- Devices - GMER 1.0.13 ----

Device \Ntfs IRP_MJ_CREATE [F9C2DC01] Ntfs.sys
Device \Ntfs IRP_MJ_CLOSE [F9C2D0EA] Ntfs.sys
Device \Ntfs IRP_MJ_READ [F9C0AF3B] Ntfs.sys
Device \Ntfs IRP_MJ_WRITE [F9C09B57] Ntfs.sys
Device \Ntfs IRP_MJ_QUERY_INFORMATION [F9C2E2B9] Ntfs.sys
Device \Ntfs IRP_MJ_SET_INFORMATION [F9C0B618] Ntfs.sys
Device \Ntfs IRP_MJ_QUERY_EA [F9C2E2B9] Ntfs.sys
Device \Ntfs IRP_MJ_SET_EA [F9C2E2B9] Ntfs.sys
Device \Ntfs IRP_MJ_FLUSH_BUFFERS [F9C47EC8] Ntfs.sys
Device \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F9C2E404] Ntfs.sys
Device \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F9C2E404] Ntfs.sys
Device \Ntfs IRP_MJ_DIRECTORY_CONTROL [F9C2FFBD] Ntfs.sys
Device \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F9C32758] Ntfs.sys
Device \Ntfs IRP_MJ_DEVICE_CONTROL [F9C2E404] Ntfs.sys
Device \Ntfs IRP_MJ_SHUTDOWN [F9C1C5AF] Ntfs.sys
Device \Ntfs IRP_MJ_LOCK_CONTROL [F9C81AA3] Ntfs.sys
Device \Ntfs IRP_MJ_CLEANUP [F9C2DAB8] Ntfs.sys
Device \Ntfs IRP_MJ_QUERY_SECURITY [F9C2E404] Ntfs.sys
Device \Ntfs IRP_MJ_SET_SECURITY [F9C2E404] Ntfs.sys
Device \Ntfs IRP_MJ_QUERY_QUOTA [F9C2E2B9] Ntfs.sys
Device \Ntfs IRP_MJ_SET_QUOTA [F9C2E2B9] Ntfs.sys
Device \Ntfs IRP_MJ_PNP [F9C4A7F0] Ntfs.sys
Device \Ntfs FastIoCheckIfPossible [F9C41EDA] Ntfs.sys
Device \Ntfs FastIoRead [F9C28B57] Ntfs.sys
Device \Ntfs FastIoWrite [F9C47448] Ntfs.sys
Device \Ntfs FastIoQueryBasicInfo [F9C2E48E] Ntfs.sys
Device \Ntfs FastIoQueryStandardInfo [F9C2CF7E] Ntfs.sys
Device \Ntfs FastIoLock [F9C480F2] Ntfs.sys
Device \Ntfs FastIoUnlockSingle [F9C481F8] Ntfs.sys
Device \Ntfs FastIoUnlockAll [F9C816AE] Ntfs.sys
Device \Ntfs FastIoUnlockAllByKey [F9C817F3] Ntfs.sys
Device \Ntfs AcquireFileForNtCreateSection [F9C2883A] Ntfs.sys
Device \Ntfs ReleaseFileForNtCreateSection [F9C28881] Ntfs.sys
Device \Ntfs FastIoQueryNetworkOpenInfo [F9C6FE1D] Ntfs.sys
Device \Ntfs AcquireForModWrite [F9C34A10] Ntfs.sys
Device \Ntfs MdlRead [F9C6FF31] Ntfs.sys
Device \Ntfs PrepareMdlWrite [F9C702AB] Ntfs.sys
Device \Ntfs FastIoQueryOpen [F9C2CDB8] Ntfs.sys
Device \Ntfs AcquireForCcFlush [F9C286E2] Ntfs.sys
Device \Ntfs ReleaseForCcFlush [F9C28708] Ntfs.sys

AttachedDevice \Ntfs IRP_MJ_CREATE [F9CCE1DE] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F9CCE1DE] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_CLOSE [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_READ [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_WRITE [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_QUERY_INFORMATION [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_SET_INFORMATION [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_QUERY_EA [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_SET_EA [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_FLUSH_BUFFERS [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_DIRECTORY_CONTROL [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F9CCE454] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_DEVICE_CONTROL [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_SHUTDOWN [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_LOCK_CONTROL [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_CLEANUP [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_CREATE_MAILSLOT [F9CCE1DE] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_QUERY_SECURITY [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_SET_SECURITY [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_POWER [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_SYSTEM_CONTROL [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_DEVICE_CHANGE [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_QUERY_QUOTA [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_SET_QUOTA [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_CREATE [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_CLOSE [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_READ [F65DA8A0] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_WRITE [F65DA900] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_QUERY_INFORMATION [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_SET_INFORMATION [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_QUERY_EA [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_SET_EA [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_FLUSH_BUFFERS [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_DIRECTORY_CONTROL [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_DEVICE_CONTROL [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_SHUTDOWN [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_LOCK_CONTROL [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_CLEANUP [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_CREATE_MAILSLOT [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_QUERY_SECURITY [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_SET_SECURITY [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_POWER [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_SYSTEM_CONTROL
mdr
Regular Member
 
Posts: 23
Joined: September 13th, 2007, 11:19 am

Unread postby mdr » September 30th, 2007, 4:40 pm

Sorry, not the whole file was posted, apparently.
One more try....

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-09-30 20:14:23
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT FFAACFD0 ZwAlertResumeThread
SSDT FFAAD8E0 ZwAlertThread
SSDT FFAAEB10 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT FFAACD30 ZwCreateMutant
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT FFAAECA0 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT FFAAE960 ZwFreeVirtualMemory
SSDT FFAACE10 ZwImpersonateAnonymousToken
SSDT FFAACEF0 ZwImpersonateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT FFAACC50 ZwOpenEvent
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT FFAAEBE0 ZwOpenProcessToken
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT FFAADDF0 ZwOpenThreadToken
SSDT FFAACB60 ZwQueryValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT FF8CFF38 ZwResumeThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT FFAADD10 ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT FFAADED0 ZwSetInformationProcess
SSDT FFAADC30 ZwSetInformationThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey
SSDT FFAACA80 ZwSuspendProcess
SSDT FFAADA28 ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT FFAADB50 ZwTerminateThread
SSDT FFAADF90 ZwUnmapViewOfSection
SSDT FFAAEA40 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.13 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 23EC 8050140C 12 Bytes [ 40, 6F, 37, F6, 50, D7, 37, ... ]
? srescan.sys Het systeem kan het opgegeven bestand niet vinden.
.text ntkrnlpa.exe!ZwYieldExecution + 28C4 8050140C 12 Bytes [ 40, 6F, 37, F6, 50, D7, 37, ... ]

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F637B6C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F637BBE0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F637BD40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F637B830] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F637B830] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F637B6C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F637BBE0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F637BD40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F637B6C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F637BD40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F637BBE0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F637B830] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F637BD40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F637BBE0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F637B6C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F637B830] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F637B6C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F637BBE0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F637BD40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F637B6C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F637B830] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F637BD40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F637BBE0] \SystemRoot\System32\vsdatant.sys

---- Devices - GMER 1.0.13 ----

Device \Ntfs IRP_MJ_CREATE [F9C2DC01] Ntfs.sys
Device \Ntfs IRP_MJ_CLOSE [F9C2D0EA] Ntfs.sys
Device \Ntfs IRP_MJ_READ [F9C0AF3B] Ntfs.sys
Device \Ntfs IRP_MJ_WRITE [F9C09B57] Ntfs.sys
Device \Ntfs IRP_MJ_QUERY_INFORMATION [F9C2E2B9] Ntfs.sys
Device \Ntfs IRP_MJ_SET_INFORMATION [F9C0B618] Ntfs.sys
Device \Ntfs IRP_MJ_QUERY_EA [F9C2E2B9] Ntfs.sys
Device \Ntfs IRP_MJ_SET_EA [F9C2E2B9] Ntfs.sys
Device \Ntfs IRP_MJ_FLUSH_BUFFERS [F9C47EC8] Ntfs.sys
Device \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F9C2E404] Ntfs.sys
Device \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F9C2E404] Ntfs.sys
Device \Ntfs IRP_MJ_DIRECTORY_CONTROL [F9C2FFBD] Ntfs.sys
Device \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F9C32758] Ntfs.sys
Device \Ntfs IRP_MJ_DEVICE_CONTROL [F9C2E404] Ntfs.sys
Device \Ntfs IRP_MJ_SHUTDOWN [F9C1C5AF] Ntfs.sys
Device \Ntfs IRP_MJ_LOCK_CONTROL [F9C81AA3] Ntfs.sys
Device \Ntfs IRP_MJ_CLEANUP [F9C2DAB8] Ntfs.sys
Device \Ntfs IRP_MJ_QUERY_SECURITY [F9C2E404] Ntfs.sys
Device \Ntfs IRP_MJ_SET_SECURITY [F9C2E404] Ntfs.sys
Device \Ntfs IRP_MJ_QUERY_QUOTA [F9C2E2B9] Ntfs.sys
Device \Ntfs IRP_MJ_SET_QUOTA [F9C2E2B9] Ntfs.sys
Device \Ntfs IRP_MJ_PNP [F9C4A7F0] Ntfs.sys
Device \Ntfs FastIoCheckIfPossible [F9C41EDA] Ntfs.sys
Device \Ntfs FastIoRead [F9C28B57] Ntfs.sys
Device \Ntfs FastIoWrite [F9C47448] Ntfs.sys
Device \Ntfs FastIoQueryBasicInfo [F9C2E48E] Ntfs.sys
Device \Ntfs FastIoQueryStandardInfo [F9C2CF7E] Ntfs.sys
Device \Ntfs FastIoLock [F9C480F2] Ntfs.sys
Device \Ntfs FastIoUnlockSingle [F9C481F8] Ntfs.sys
Device \Ntfs FastIoUnlockAll [F9C816AE] Ntfs.sys
Device \Ntfs FastIoUnlockAllByKey [F9C817F3] Ntfs.sys
Device \Ntfs AcquireFileForNtCreateSection [F9C2883A] Ntfs.sys
Device \Ntfs ReleaseFileForNtCreateSection [F9C28881] Ntfs.sys
Device \Ntfs FastIoQueryNetworkOpenInfo [F9C6FE1D] Ntfs.sys
Device \Ntfs AcquireForModWrite [F9C34A10] Ntfs.sys
Device \Ntfs MdlRead [F9C6FF31] Ntfs.sys
Device \Ntfs PrepareMdlWrite [F9C702AB] Ntfs.sys
Device \Ntfs FastIoQueryOpen [F9C2CDB8] Ntfs.sys
Device \Ntfs AcquireForCcFlush [F9C286E2] Ntfs.sys
Device \Ntfs ReleaseForCcFlush [F9C28708] Ntfs.sys

AttachedDevice \Ntfs IRP_MJ_CREATE [F9CCE1DE] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F9CCE1DE] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_CLOSE [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_READ [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_WRITE [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_QUERY_INFORMATION [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_SET_INFORMATION [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_QUERY_EA [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_SET_EA [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_FLUSH_BUFFERS [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_DIRECTORY_CONTROL [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F9CCE454] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_DEVICE_CONTROL [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_SHUTDOWN [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_LOCK_CONTROL [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_CLEANUP [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_CREATE_MAILSLOT [F9CCE1DE] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_QUERY_SECURITY [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_SET_SECURITY [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_POWER [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_SYSTEM_CONTROL [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_DEVICE_CHANGE [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_QUERY_QUOTA [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_SET_QUOTA [F9CC1F4C] fltMgr.sys
AttachedDevice \Ntfs IRP_MJ_CREATE [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_CLOSE [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_READ [F65DA8A0] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_WRITE [F65DA900] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_QUERY_INFORMATION [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_SET_INFORMATION [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_QUERY_EA [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_SET_EA [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_FLUSH_BUFFERS [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_DIRECTORY_CONTROL [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_DEVICE_CONTROL [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_SHUTDOWN [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_LOCK_CONTROL [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_CLEANUP [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_CREATE_MAILSLOT [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_QUERY_SECURITY [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_SET_SECURITY [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_POWER [F65DA810] SYMEVENT.SYS
AttachedDevice \Ntfs IRP_MJ_SYSTEM_CONTROL
mdr
Regular Member
 
Posts: 23
Joined: September 13th, 2007, 11:19 am

Unread postby mdr » September 30th, 2007, 4:46 pm

Now, that didn't help much, did it? :?
How to get this big one on the forum?
Cutting in parts is a hassle.
Note: I did not check "show all"....
mdr
Regular Member
 
Posts: 23
Joined: September 13th, 2007, 11:19 am

Unread postby Mr_JAk3 » October 1st, 2007, 1:19 pm

Hello :)

Ok you could upload the whole log file to eg rapidshare. Then just post the link to your log to me.

You could upload the RootkitRevealer log too.
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Unread postby mdr » October 1st, 2007, 2:49 pm

OK, here is the download-link:
http://rapidshare.com/files/59575134/gm ... 0.txt.html
Unfortunately the rootkitrevealer of Microsoft hangs when it should produce its log, so I cannot send you that one.
I already think I know why the laptop is so slow: it has only 256 KB RAM.
I'll recommend the owner to add 1 GB, to speed things up a bit.
mdr
Regular Member
 
Posts: 23
Joined: September 13th, 2007, 11:19 am

Unread postby Mr_JAk3 » October 2nd, 2007, 1:04 pm

Hello :)

Yes 256 mb really isn't enough. That is the reason for the slowness.

GMER didn't reveal anything bad. Not everything these scans list are bad. GMER revealed some messenger entries too but those are clean. Also you get more legitimate entries to the log when you use the computer while it scans.

So any issues at the moment?
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland

Unread postby mdr » October 3rd, 2007, 3:11 am

Great that ik looks like the laptop is clean!
On behalf of the owner I want to thank you VERY much for all the help in getting this machine clean!
Keep up the good work!
Maarten
mdr
Regular Member
 
Posts: 23
Joined: September 13th, 2007, 11:19 am

Unread postby Mr_JAk3 » October 3rd, 2007, 1:41 pm

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Mr_JAk3
MRU Teacher Emeritus
 
Posts: 3023
Joined: April 16th, 2006, 1:52 pm
Location: Finland
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 39 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware