Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: win32.tdss and hijacking problems

  1. #11
    Security Expert Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,081

    Default

    Hi.

    Scan with GMER:

    Please download GMER Rootkit Scanner from here.
    • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO


      Click the image to enlarge it

    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
    • Save it where you can easily find it, such as your desktop, and post it in reply
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

    Note: Do not run any programs while Gmer is running.
    Member of UNITE

  2. #12
    Junior Member
    Join Date
    Jan 2010
    Posts
    10

    Default gmer log

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-01-27 19:12:35
    Windows 5.1.2600 Service Pack 3
    Running: xxv5bud9.exe; Driver: C:\DOCUME~1\Shawn\LOCALS~1\Temp\awlyrpob.sys


    ---- System - GMER 1.0.15 ----

    INT 0x62 ? 87166BF8
    INT 0x63 ? 87166BF8
    INT 0x73 ? 86F89BF8
    INT 0x83 ? 86F89BF8
    INT 0x84 ? 86F89BF8
    INT 0x84 ? 86F89BF8
    INT 0x84 ? 86F89BF8
    INT 0x94 ? 86F89BF8
    INT 0x94 ? 86F89BF8
    INT 0x94 ? 86F89BF8
    INT 0xA4 ? 86F89BF8
    INT 0xB4 ? 87166BF8

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xAE4A8322]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xAE4A814C]
    Code 8647FD08 ZwEnumerateKey
    Code 8647FCC0 ZwFlushInstructionCache
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xAE4A8280]
    Code 8647FD4E IofCallDriver
    Code 8647FDDE IofCompleteRequest
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)
    Device \FileSystem\Ntfs \Ntfs 871651F8

    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\usbohci \Device\USBPDO-0 86F9C500
    Device \Driver\usbohci \Device\USBPDO-1 86F9C500
    Device \Driver\dmio \Device\DmControl\DmIoDaemon 871D81F8
    Device \Driver\dmio \Device\DmControl\DmConfig 871D81F8
    Device \Driver\dmio \Device\DmControl\DmPnP 871D81F8
    Device \Driver\dmio \Device\DmControl\DmInfo 871D81F8
    Device \Driver\usbohci \Device\USBPDO-2 86F9C500
    Device \Driver\usbehci \Device\USBPDO-3 86F3B1F8
    Device \Driver\usbuhci \Device\USBPDO-4 86F011F8
    Device \Driver\PCI_PNP9428 \Device\00000055 spxe.sys

    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\usbuhci \Device\USBPDO-5 86F011F8
    Device \Driver\usbehci \Device\USBPDO-6 86F3B1F8
    Device \Driver\Ftdisk \Device\HarddiskVolume1 871671F8
    Device \Driver\Ftdisk \Device\HarddiskVolume2 871671F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7270B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort0 [F7270B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort1 [F7270B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort2 [F7270B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort3 [F7270B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort4 [F7270B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort5 [F7270B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-12 [F7270B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-1d [F7270B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\NetBT \Device\NetBT_Tcpip_{727F1C1B-6927-406D-B685-FFD3FD5BB051} 857B41F8
    Device \Driver\NetBT \Device\NetBt_Wins_Export 857B41F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{E8D4A574-9CC3-4E06-A710-D12ACC5D953F} 857B41F8
    Device \Driver\NetBT \Device\NetbiosSmb 857B41F8

    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\sptd \Device\598604428 spxe.sys
    Device \Driver\usbohci \Device\USBFDO-0 86F9C500
    Device \Driver\usbohci \Device\USBFDO-1 86F9C500
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8577B500
    Device \Driver\usbohci \Device\USBFDO-2 86F9C500
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 8577B500
    Device \Driver\usbehci \Device\USBFDO-3 86F3B1F8
    Device \Driver\usbuhci \Device\USBFDO-4 86F011F8
    Device \Driver\Ftdisk \Device\FtControl 871671F8
    Device \Driver\usbuhci \Device\USBFDO-5 86F011F8
    Device \Driver\usbehci \Device\USBFDO-6 86F3B1F8
    Device \Driver\almkunko \Device\Scsi\almkunko1 86E79500
    Device \Driver\almkunko \Device\Scsi\almkunko1Port6Path0Target0Lun0 86E79500
    Device \FileSystem\Cdfs \Cdfs 86DC21F8

    ---- Modules - GMER 1.0.15 ----

    Module \systemroot\system32\drivers\H8SRTkvscdriutj.sys (*** hidden *** ) AE7A7000-AE7C4000 (118784 bytes)
    ---- Processes - GMER 1.0.15 ----

    Library \\?\globalroot\systemroot\system32\H8SRTyirwafpbwe.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [996] 0x10000000
    Library \\?\globalroot\systemroot\system32\H8SRTyirwafpbwe.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1324] 0x00870000
    Library \\?\globalroot\systemroot\system32\H8SRTyirwafpbwe.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1472] 0x00870000
    Library \\?\globalroot\systemroot\system32\H8SRTyirwafpbwe.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1680] 0x00870000
    Library \\?\globalroot\systemroot\system32\H8SRTyirwafpbwe.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1816] 0x00870000
    Library \\?\globalroot\systemroot\system32\H8SRTyirwafpbwe.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1976] 0x00870000
    Library \\?\globalroot\systemroot\system32\H8SRTyirwafpbwe.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2336] 0x00870000
    Library \\?\globalroot\systemroot\system32\H8SRTyirwafpbwe.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3568] 0x00E00000

    ---- Services - GMER 1.0.15 ----

    Service C:\WINDOWS\system32\drivers\H8SRTkvscdriutj.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTkvscdriutj.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
    Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
    Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTkvscdriutj.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTbavhonkdqv.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTrdlxrqecqj.dat
    Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTtoewqnmujr.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTyirwafpbwe.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTfmpfmitrrp.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1A 0x43 0x5B 0x4B ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x8B 0x0E 0xB2 0xA7 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE7 0x1C 0x2C 0xEB ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1A 0x43 0x5B 0x4B ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x8B 0x0E 0xB2 0xA7 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x83 0xD3 0x39 0x65 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@start 1
    Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@type 1
    Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTkvscdriutj.sys
    Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@group file system
    Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTkvscdriutj.sys
    Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTbavhonkdqv.dll
    Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTrdlxrqecqj.dat
    Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTtoewqnmujr.dll
    Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTyirwafpbwe.dll
    Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTfmpfmitrrp.dll
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1A 0x43 0x5B 0x4B ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x8B 0x0E 0xB2 0xA7 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE7 0x1C 0x2C 0xEB ...

    ---- Files - GMER 1.0.15 ----

    File C:\ATI\Support\9-12_xp32_dd_ccc_wdm_enu\Driver\Packages\Apps\VC8RTx86\vcredist_x86\install.res.1042.dll (size mismatch) 78160/76640 bytes executable
    File C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll 1014 bytes
    File C:\Documents and Settings\All Users\Application Data\h8srtmainqt.dll 16723 bytes
    File C:\Documents and Settings\Shawn\Local Settings\temp\h8srtmainqt.dll 16088 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Adobe 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Core 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero BackItUp 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero CoverDesigner 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero Fast CD-DVD Burning Plug-in 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero Home 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero ImageDrive 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero MediaHome 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero Mobile 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero PhotoSnap 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero Recode 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero ScratchBox 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero ShowTime 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero SoundBox 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero SoundTrax 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero StartSmart 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero Toolkit 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero Vision 0 bytes
    File C:\Program Files\Nero\Nero 7\Nero PhotoSnap\Nero WaveEditor 0 bytes
    File C:\Program Files\Common Files\Ahead\Lib\NMTTranscoderPS.dll (size mismatch) 988720/54832 bytes executable
    File C:\Program Files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe (size mismatch) 69715/5632 bytes executable
    File C:\Program Files\Red Kawa\Video Converter 3\changelog.txt (size mismatch) 2820758/1891 bytes executable
    File C:\WINDOWS\$hf_mig$\KB896423\update\branches.inf (size mismatch) 30720/705 bytes executable
    File C:\WINDOWS\$hf_mig$\KB920872\update\update.ver (size mismatch) 716000/568 bytes executable
    File C:\WINDOWS\$hf_mig$\KB975025\update\update.ver (size mismatch) 755576/390 bytes executable
    File C:\WINDOWS\system32\dllcache\ftp.exe (size mismatch) 6144/42496 bytes executable
    File C:\WINDOWS\system32\drivers\H8SRTkvscdriutj.sys 40448 bytes executable <-- ROOTKIT !!!
    File C:\WINDOWS\system32\H8SRTbavhonkdqv.dll 23040 bytes executable
    File C:\WINDOWS\system32\H8SRTfmpfmitrrp.dll 40960 bytes executable
    File C:\WINDOWS\system32\h8srtkrl32mainweq.dll 765 bytes
    File C:\WINDOWS\system32\mscat32.dll (size mismatch) 65024/7168 bytes executable
    File C:\WINDOWS\system32\stobject.dll (size mismatch) 136704/121856 bytes executable
    File C:\WINDOWS\system32\d3d8.dll (size mismatch) 10752/1179648 bytes executable
    File C:\WINDOWS\system32\wmiscmgr.dll (size mismatch) 18944/55808 bytes executable
    File C:\WINDOWS\system32\H8SRTrdlxrqecqj.dat 174 bytes
    File C:\WINDOWS\system32\h8srtshsyst.dll 2096 bytes
    File C:\WINDOWS\system32\H8SRTtoewqnmujr.dll 40960 bytes executable
    File C:\WINDOWS\system32\H8SRTyirwafpbwe.dll 16896 bytes executable
    File C:\WINDOWS\ie7updates\KB942615-IE7\icardie.dll (size mismatch) 131584/61952 bytes executable
    File C:\WINDOWS\ie7updates\KB963027-IE7\urlmon.dll (size mismatch) 105984/1160192 bytes executable
    File C:\WINDOWS\ServicePackFiles\i386\msinfo32.chm (size mismatch) 376832/44271 bytes executable
    File C:\WINDOWS\ServicePackFiles\i386\spra040c.dll (size mismatch) 186368/197632 bytes executable
    File C:\WINDOWS\ServicePackFiles\i386\xcopy.exe (size mismatch) 91648/30720 bytes executable
    File C:\WINDOWS\$NtServicePackUninstall$\sbp2port.sys (size mismatch) 159232/43136 bytes executable
    File C:\WINDOWS\$NtServicePackUninstall$\xmlprov.dll (size mismatch) 121856/129536 bytes executable
    File C:\WINDOWS\$NtServicePackUninstall$\xpob2res.dll.009 (size mismatch) 410624/384000 bytes executable
    File C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\ks.inf (size mismatch) 208896/37271 bytes executable
    File C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\quartz.dll (size mismatch) 733184/1962496 bytes executable
    File C:\WINDOWS\$NtUninstallKB944533$\dxtrans.dll (size mismatch) 357888/201728 bytes executable
    File C:\WINDOWS\Temp\H8SRT5c73.tmp 243 bytes
    File C:\WINDOWS\Temp\H8SRT5e76.tmp 247 bytes
    File C:\WINDOWS\Temp\H8SRT7007.tmp 251 bytes

    ---- EOF - GMER 1.0.15 ----

  3. #13
    Security Expert Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,081

    Default

    Hi.

    Any particular reason it took nearly four days to reply? You are very lucky as in I was going to close this topic as inactive at some point today.

    However a moot point at present as in I have bad news I'm afraid.

    One or more of the identified infections is a severe Rootkit infection.

    OK since we are dealing with the aforementioned infection(s) I would be providing your good self with a disservice if I did not make you aware of the ramifications below:

    This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

    I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

    Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows operating system, and that is the course we strongly recommend.

    Please read these for more information:

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

    When Should I Format, How Should I Reinstall

    I can attempt to clean this machine but I can't guarantee that it will be at all secure afterwords.

    Should you have any questions, please feel free to ask.

    Please let myself know what you have decided to do in your next post.
    Member of UNITE

  4. #14
    Junior Member
    Join Date
    Jan 2010
    Posts
    10

    Default

    The reason for the long response was because my computer would lock up in the middle of the gmer scan. The log i posted was the first successful scan i had in about 20 tries. I just want to thank you for your help, I have backed up my files and I will reformat. Again, thanks.

  5. #15
    Security Expert Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,081

    Default

    Hi.

    The reason for the long response was because my computer would lock up in the middle of the gmer scan. The log i posted was the first successful scan i had in about 20 tries. I just want to thank you for your help, I have backed up my files and I will reformat. Again, thanks.
    OK fair play and you're welcome!

    Below is some advice about what to install/safety advice after the format and the reinstallation of the Windows operating system.

    Reformat and Reinstallation Advice:

    This is a excellent resource I recommend reading:-

    How to prevent Malware

    • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
      Here are some free Anti Virus programs which I recommend to use:
    • Update your Anti Virus Software - It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
    • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
      Here are some free Firewalls which I recommend to use:
      (Use only one, and disable your Windows Firewall)

    Note: Only ever have installed/use one Anti-Virus application and Software Firewall. Otherwise a system conflict will occur and this also lessens overall online protection!

    • Keep your system updated- Microsoft releases patches for Windows and other products regularly:

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      • From within Internet Explorer click on the Tools menu and then click on Options.
      • Click once on the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      • Next press the Apply button and then the OK to exit the Internet Properties page.

    • Malwarebytes' Anti-Malware - Download it from here
      The tutorial on how to use MBAM is located here
    • Install WinPatrol - Download it from here
      You can find information about how WinPatrol works here
    • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
      Download it from here
      The tutorial on how to use Spyware Blaster is located here
    • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Importance of Regular System Maintenance:

    I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well after the format and the reinstallation of the Windows operating system.

    Help! My computer is slow!

    Also so is this:

    What to do if your Computer is running slowly

    Follow the above and the potential for your computer becoming infected again will reduce dramatically.

    Any questions feel free to ask? If not stay safe!
    Member of UNITE

  6. #16
    Security Expert Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,081

    Default

    Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

    Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

    If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
    Member of UNITE

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •