***3 types of Virtumonde***

[Slavik]

Shaba the /a/f/q didnt work. So I did it without it and it worked

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-09-12 13:28:40
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xAE303C8C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwConnectPort [0xAE3033C4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateFile [0xAE3038A0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateKey [0xAE30443C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreatePort [0xAE303080]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSection [0xAE305084]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xAE303E72]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateThread [0xAE302C50]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDeleteKey [0xAE3040B8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDeleteValueKey [0xAE304268]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDuplicateObject [0xAE302B02]
SSDT sptd.sys ZwEnumerateKey [0xF7437FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF7438340]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwLoadDriver [0xAE304D24]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenFile [0xAE303AB0]
SSDT sptd.sys ZwOpenKey [0xF74320B0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenProcess [0xAE302822]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenSection [0xAE303744]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenThread [0xAE3029AA]
SSDT sptd.sys ZwQueryKey [0xF7438418]
SSDT sptd.sys ZwQueryValueKey [0xF7438298]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRenameKey [0xAE3047F2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xAE303196]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSecureConnectPort [0xAE304AE6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetSystemInformation [0xAE304EC4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetValueKey [0xAE304602]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwShutdownSystem [0xAE3035D2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSystemDebugControl [0xAE303638]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateProcess [0xAE302F4A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateThread [0xAE302E18]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F69CB62C 5 Bytes JMP 86953770
? System32\Drivers\awe6cqhy.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1964] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1964] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1964] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1964] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1964] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1964] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15AE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1964] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1964] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7432AD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7432C1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7432B9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7433748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F743361E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F744829A] sptd.sys
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 86D601E8
Device \FileSystem\Fastfat \FatCdrom 85EC5790
Device \FileSystem\Udfs \UdfsCdRom 861DD3F0
Device \FileSystem\Udfs \UdfsDisk 861DD3F0

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)

Device \Driver\usbuhci \Device\USBPDO-0 8696B418
Device \Driver\usbuhci \Device\USBPDO-1 8696B418
Device \Driver\usbehci \Device\USBPDO-2 86994790
Device \Driver\usbuhci \Device\USBPDO-3 8696B418
Device \Driver\usbuhci \Device\USBPDO-4 8696B418

AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)

Device \Driver\usbuhci \Device\USBPDO-5 8696B418
Device \Driver\PCI_NTPNP3570 \Device\00000049 sptd.sys
Device \Driver\usbuhci \Device\USBPDO-6 8696B418
Device \Driver\Ftdisk \Device\HarddiskVolume1 86DD21E8
Device \Driver\usbehci \Device\USBPDO-7 86994790
Device \Driver\Cdrom \Device\CdRom0 86950790
Device \Driver\Cdrom \Device\CdRom1 86950790
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86D611E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86CDE900
Device \Driver\atapi \Device\Ide\IdePort0 86D611E8
Device \Driver\atapi \Device\Ide\IdePort0 86CDE900
Device \Driver\atapi \Device\Ide\IdePort1 86D611E8
Device \Driver\atapi \Device\Ide\IdePort1 86CDE900
Device \Driver\atapi \Device\Ide\IdePort2 86D611E8
Device \Driver\atapi \Device\Ide\IdePort2 86CDE900
Device \Driver\atapi \Device\Ide\IdePort3 86D611E8
Device \Driver\atapi \Device\Ide\IdePort3 86CDE900
Device \Driver\atapi \Device\Ide\IdePort4 86D611E8
Device \Driver\atapi \Device\Ide\IdePort4 86CDE900
Device \Driver\atapi \Device\Ide\IdePort5 86D611E8
Device \Driver\atapi \Device\Ide\IdePort5 86CDE900
Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-12 86D611E8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-12 86CDE900
Device \Driver\NetBT \Device\NetBt_Wins_Export 861B4650
Device \Driver\NetBT \Device\NetBT_Tcpip_{7594DFD6-938A-43DB-9319-4820CFCA989D} 861B4650
Device \Driver\NetBT \Device\NetbiosSmb 861B4650

AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)

Device \Driver\usbuhci \Device\USBFDO-0 8696B418
Device \Driver\usbuhci \Device\USBFDO-1 8696B418
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 861991E8
Device \Driver\usbehci \Device\USBFDO-2 86994790
Device \FileSystem\MRxSmb \Device\LanmanRedirector 861991E8
Device \Driver\usbuhci \Device\USBFDO-3 8696B418
Device \Driver\usbuhci \Device\USBFDO-4 8696B418
Device \Driver\Ftdisk \Device\FtControl 86DD21E8
Device \Driver\usbuhci \Device\USBFDO-5 8696B418
Device \Driver\usbuhci \Device\USBFDO-6 8696B418
Device \Driver\usbehci \Device\USBFDO-7 86994790
Device \Driver\awe6cqhy \Device\Scsi\awe6cqhy1 869F41E8
Device \Driver\awe6cqhy \Device\Scsi\awe6cqhy1 86A3F7D8
Device \Driver\awe6cqhy \Device\Scsi\awe6cqhy1Port6Path0Target0Lun0 869F41E8
Device \Driver\awe6cqhy \Device\Scsi\awe6cqhy1Port6Path0Target0Lun0 86A3F7D8
Device \FileSystem\Fastfat \Fat 85EC5790

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 8618A790

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7D 0xBD 0x65 0x92 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x66 0x61 0x94 0x49 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBC 0xE6 0xAC 0xF6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7D 0xBD 0x65 0x92 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x66 0x61 0x94 0x49 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBC 0xE6 0xAC 0xF6 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@appinit_dlls

---- EOF - GMER 1.0.14 ----

[Shaba]

Great

Now please try again to install antivirus and let me know how it went.

[Slavik]

Giving me a the same problem.
Not enough user rights or error 5 same as time before.

[Shaba]

Then that indicates also other problems.

Maybe most sensible way would be repair installation of windows.

Do you have windows CD handy?

[Slavik]

Shaba

My wife and I are curently in the proces of moving and all of our stuff is in a storage unit right now. We are living with my parents till the house is done being built. I am running XP and my dad only has Vista.
There is no telling where my CD for Windows is at in storage.
Is there no other way?

[Shaba]

Well of course we can try it doesn't make much sense to me as there are no more rootkits which could prevent AV installation and creating another user account didn't help.

So then there is most likely something wrong with windows installation and CD is needed.

[Slavik]

Okay I will look for the cd.
I am leaving tomorrow for 7 days because of work. I will post back when I get back.

[Shaba]

Thank you for informing me

[Slavik]

Shaba
I am unable to find my Windows cd. I have the box but not the cd. What else can we do?

[Shaba]

Well if you have legit windows key, you can borrow CD from someone else.

Otherwise you might need to buy windows CD.