PDA

View Full Version : can't install antivir software, internet explorer malfuntions



otterdijk
2007-11-19, 09:12
hi,

yesterday, my NOD32 antivirus software got disabled by something (the executables were suddenly gone).
Now I can't install any antivirus package anymore. I tried a couple and I get error messages. When trying kaspersky I get: "can't install to [...] make sure you have access to that directory.

I tried online scanning (housecall) but it didn't find anything

The second thing that happens since yesterday is that internet explorer is very slow at startup. And when it hás started, I can only use one screen. A second one just keeps on loading forever.

Before I start thinking about formatting, maybe you guys can help me out.

thanks!


here's my hijack this logfile:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:31:06, on 18-11-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\VIRUSfighter\Bin\ZLH.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\AudioSystem EWX 2496\EwxCpl.exe
C:\Documents and Settings\Roel van Otterdijk\Bureaublad\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Norman ZANDA] C:\VIRUSfighter\Bin\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EWX 2496 ControlPanel.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobiele favorieten maken... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189337628906
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189337620578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5165/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1ECF7C2-BC08-48CA-BBD0-41740D1AE30D}: NameServer = 192.168.1.254
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6777 bytes

Shaba
2007-11-20, 11:48
Hi otterdijk

* Download GMER from
here (http://www.gmer.net/gmer.zip):
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

otterdijk
2007-11-20, 14:45
Hi,

thanks for helping me

below are the results of the jury (in three pages) ..I think I have a rootkit problem in srosa.sys.....?


Roel



GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-11-20 13:38:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT 89BC7008 ZwAlertResumeThread
SSDT 89AA5038 ZwAlertThread
SSDT 89A2D0E8 ZwAllocateVirtualMemory
SSDT 899F7470 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys ZwCreateFile
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey
SSDT 89B5E740 ZwCreateMutant
SSDT 89AA4108 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys ZwEnumerateValueKey
SSDT 89976790 ZwFreeVirtualMemory
SSDT 89A928F0 ZwImpersonateAnonymousToken
SSDT 89A88C90 ZwImpersonateThread
SSDT 89A597A0 ZwMapViewOfSection
SSDT 89A88A20 ZwOpenEvent
SSDT sptd.sys ZwOpenKey
SSDT 89BC5718 ZwOpenProcessToken
SSDT 8996A318 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys ZwQueryDirectoryFile
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys ZwQueryKey
SSDT \??\C:\WINDOWS\system32\drivers\srosa.sys ZwQuerySystemInformation
SSDT sptd.sys ZwQueryValueKey
SSDT 89D5A1F0 ZwResumeThread
SSDT 89BBC128 ZwSetContextThread
SSDT 89906F38 ZwSetInformationProcess
SSDT 8991DE78 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey
SSDT 89A86D78 ZwSuspendProcess
SSDT 89AA7E30 ZwSuspendThread
SSDT 89851200 ZwTerminateProcess
SSDT 89BBED38 ZwTerminateThread
SSDT 89BBC938 ZwUnmapViewOfSection
SSDT 89A46598 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.13 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2F92 80503D46 6 Bytes [ 85, 89, 38, ED, BB, 89 ]
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B995962C 5 Bytes JMP 89B63590
? System32\Drivers\aqp7pal7.SYS The system cannot find the file specified.

---- User code sections - GMER 1.0.13 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2316] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F2C1 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2316] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A030F C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2316] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A0290 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2316] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A02D4 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2316] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A021C C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2316] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A0256 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2316] USER32.dll!DialogBoxIndirectParamA

otterdijk
2007-11-20, 14:46
7E456B50 5 Bytes JMP 430A034A C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2316] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F31676 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3092] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F2C1 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3092] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A030F C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3092] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A0290 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3092] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A02D4 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3092] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A021C C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3092] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A0256 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3092] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A034A C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3092] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F31676 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3428] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F2C1 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3428] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A030F C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3428] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A0290 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3428] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A02D4 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3428] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A021C C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3428] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A0256 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3428] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A034A C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3428] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F31676 C:\WINDOWS\system32\IEFRAME.dll

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6BEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6BEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6BEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6BF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6BF61E] sptd.sys

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 89E4B1E8

otterdijk
2007-11-20, 14:47
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 89E4B1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 89E4B1E8

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [BA5F91DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [BA5F91DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [BA5F9454] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [BA5F91DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [BA5ECF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [BA5ECF4C] fltMgr.sys

Device \Driver\usbehci \Device\USBFDO-9 IRP_MJ_CREATE 89B49790
Device \Driver\usbehci \Device\USBFDO-9 IRP_MJ_CLOSE 89B49790
Device \Driver\usbehci \Device\USBFDO-9 IRP_MJ_DEVICE_CONTROL 89B49790
Device \Driver\usbehci \Device\USBFDO-9 IRP_MJ_INTERNAL_DEVICE_CONTROL 89B49790
Device \Driver\usbehci \Device\USBFDO-9 IRP_MJ_POWER 89B49790
Device \Driver\usbehci \Device\USBFDO-9 IRP_MJ_SYSTEM_CONTROL 89B49790
Device \Driver\usbehci \Device\USBFDO-9 IRP_MJ_PNP

otterdijk
2007-11-20, 14:48
89B49790

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [B6ECD420] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [B6ECD420] SYMTDI.SYS

Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 89BE0790
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE 89BE0790
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 89BE0790
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 89BE0790
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 89BE0790
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 89BE0790
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 89BE0790
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE 89BE0790
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE 89BE0790
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 89BE0790
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 89BE0790
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER 89BE0790
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 89BE0790
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP 89BE0790
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 89E4D1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 89E4D1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 89E4D1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 89E4D1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 89E4D1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 89E4D1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 89E4D1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 89E4D1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 89E4D1E8

otterdijk
2007-11-20, 14:51
These are the last pages from the scan.

But it's not the complete scan result. That would be a bit too much (40 pages or so). So I skipped some in the middle

Maybe you van already see what's the matter. Else I'd like to mail you the while scan result in a word document

thanks,

Roel



FCF6B885-4248-4736-AC4B-71E813F9DD44}\{F73974F9-76AA-4430-A129-6FCDA8CBAA29}.qbd
File C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{FCF6B885-4248-4736-AC4B-71E813F9DD44}\{F73974F9-76AA-4430-A129-6FCDA8CBAA29}.qbi
File C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{FCF6B885-4248-4736-AC4B-71E813F9DD44}.qbi
ADS C:\Documents and Settings\Roel van Otterdijk\Mijn Documenten\001_____MUSIC\002------------HOUSE\003------------12inches\Audio Werner - onandon ep_2006\Jeff_Amadeus-Well_Street_EP-(Squat005)-Vinyl-2004-TN_ACID\01-jeff_amadeus-untitled-tn_acid www.mp3s.pl.mp3:KAVICHS
ADS C:\Documents and Settings\Roel van Otterdijk\Mijn Documenten\001_____MUSIC\002------------HOUSE\003------------12inches\Audio Werner - onandon ep_2006\Jeff_Amadeus-Well_Street_EP-(Squat005)-Vinyl-2004-TN_ACID\02-jeff_amadeus-untitled-tn_acid www.mp3s.pl.mp3:KAVICHS
ADS C:\Documents and Settings\Roel van Otterdijk\Mijn Documenten\001_____MUSIC\002------------HOUSE\003------------12inches\Audio Werner - onandon ep_2006\Jeff_Amadeus-Well_Street_EP-(Squat005)-Vinyl-2004-TN_ACID\03-jeff_amadeus-untitled-tn_acid www.mp3s.pl.mp3:KAVICHS
File C:\Program Files\Movie Maker\Shared
File C:\Program Files\Movie Maker\Shared\Empty.txt
File C:\Program Files\Movie Maker\Shared\Filters.xml
File C:\Program Files\Movie Maker\Shared\news.png
File C:\Program Files\Movie Maker\Shared\paint.png
File C:\Program Files\Movie Maker\Shared\Profiles
File C:\Program Files\Movie Maker\Shared\Profiles\Blank.txt
File C:\Program Files\Movie Maker\Shared\Sample1.jpg
File C:\Program Files\Movie Maker\Shared\Sample2.jpg
File C:\WINDOWS\ime\shared
File C:\WINDOWS\ime\shared\res
File C:\WINDOWS\system32\drivers\hidr.exe
File C:\WINDOWS\system32\drivers\srosa.sys <-- ROOTKIT !!!

---- Services - GMER 1.0.13 ----

Service C:\WINDOWS\system32\drivers\srosa.sys [SYSTEM] srosa <-- ROOTKIT !!!

---- EOF - GMER 1.0.13 ----

Shaba
2007-11-20, 15:03
Hi

"
below are the results of the jury (in three pages) ..I think I have a rootkit problem in srosa.sys.....?"

Yes that is rootkit bagle which deletes antiviruses etc.

Run gmer.exe
Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
Click Files... and browse to the following file:
C:\WINDOWS\system32\drivers\srosa.sys
Now click Delete
Also do that with this file:

C:\WINDOWS\system32\drivers\hidr.exe

Now click the Services tab. Click the entries in red one by one with your right mouse button and click Delete... Answer Yes to all the warning windows.
When you've removed all the Service entries in red, reboot your computer.

Re-run gmer

Post:

- gmer log
- a fresh HijackThis log

Shaba
2007-11-27, 12:49
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.