PDA

View Full Version : Help with toseeka.com, icityfind.com, myclickcheck.su removal?



AJC01
2010-09-07, 23:23
I have been being re-directed to these sites and when I googled the names of the sites it brought me to here (http://forums.spybot.info/showthread.php?t=52127) , aka your forums and I found that I had the exact same problems. I used Gmer.exe like Shaba said and got a log file which is listed below.

:thanks:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-07 15:59:16
Windows 6.1.7600
Running: gmer.exe; Driver: H:\Users\AJC\AppData\Local\Temp\kfldrpow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82621AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82621104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 826213F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8260A2D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82609898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 826211DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82621958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 826216F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82621F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 826221A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82681599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 826A5F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\spkv.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8FC2DCA0 5 Bytes JMP 861981D8

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8B6A0042] \SystemRoot\System32\Drivers\spkv.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8B6A06D6] \SystemRoot\System32\Drivers\spkv.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8B6A0800] \SystemRoot\System32\Drivers\spkv.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8B6A013E] \SystemRoot\System32\Drivers\spkv.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT H:\Windows\Explorer.EXE[1344] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [742B2494] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT H:\Windows\Explorer.EXE[1344] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74295624] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT H:\Windows\Explorer.EXE[1344] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [742956E2] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT H:\Windows\Explorer.EXE[1344] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [742B250F] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT H:\Windows\Explorer.EXE[1344] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [742A8573] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT H:\Windows\Explorer.EXE[1344] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [742A4D27] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT H:\Windows\Explorer.EXE[1344] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [742A50CE] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT H:\Windows\Explorer.EXE[1344] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [742A51A3] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT H:\Windows\Explorer.EXE[1344] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [742A66D0] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT H:\Windows\Explorer.EXE[1344] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [742A82CA] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT H:\Windows\Explorer.EXE[1344] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [742A8819] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT H:\Windows\Explorer.EXE[1344] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [742A907A] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT H:\Windows\Explorer.EXE[1344] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [742AE21D] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT H:\Windows\Explorer.EXE[1344] @ H:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [742A4C59] H:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84FA41F8
Device \FileSystem\udfs \UdfsCdRom 861EB500
Device \FileSystem\udfs \UdfsDisk 861EB500
Device \Driver\volmgr \Device\VolMgrControl 84FA01F8
Device \Driver\usbuhci \Device\USBPDO-0 862641F8
Device \Driver\usbuhci \Device\USBPDO-1 862641F8
Device \Driver\usbuhci \Device\USBPDO-2 862641F8
Device \Driver\usbehci \Device\USBPDO-3 862931F8
Device \Driver\usbuhci \Device\USBPDO-4 862641F8
Device \Driver\usbuhci \Device\USBPDO-5 862641F8
Device \Driver\usbuhci \Device\USBPDO-6 862641F8
Device \Driver\volmgr \Device\HarddiskVolume1 84FA01F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\usbehci \Device\USBPDO-7 862931F8
Device \Driver\volmgr \Device\HarddiskVolume2 84FA01F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 863DA500
Device \Driver\volmgr \Device\HarddiskVolume3 84FA01F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom1 863DA500
Device \Driver\atapi \Device\Ide\IdePort0 84FA21F8
Device \Driver\atapi \Device\Ide\IdePort1 84FA21F8
Device \Driver\atapi \Device\Ide\IdePort2 84FA21F8
Device \Driver\atapi \Device\Ide\IdePort3 84FA21F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-7 84FA21F8
Device \Driver\atapi \Device\Ide\IdePort4 84FA21F8
Device \Driver\atapi \Device\Ide\IdePort5 84FA21F8
Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-8 84FA21F8
Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-a 84FA21F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-6 84FA21F8
Device \Driver\cdrom \Device\CdRom2 863DA500
Device \Driver\volmgr \Device\HarddiskVolume4 84FA01F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000067 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\volmgr \Device\HarddiskVolume5 84FA01F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\USBSTOR \Device\00000096 861BA1F8
Device \Driver\USBSTOR \Device\00000097 861BA1F8
Device \Driver\usbuhci \Device\USBFDO-0 862641F8
Device \Driver\usbuhci \Device\USBFDO-1 862641F8
Device \Driver\usbuhci \Device\USBFDO-2 862641F8
Device \Driver\usbehci \Device\USBFDO-3 862931F8
Device \Driver\usbuhci \Device\USBFDO-4 862641F8
Device \Driver\usbuhci \Device\USBFDO-5 862641F8
Device \Driver\usbuhci \Device\USBFDO-6 862641F8
Device \Driver\usbehci \Device\USBFDO-7 862931F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@G:\Documents and Settings\Owner\My Documents\My Downloads\Torrents\Files\dBpoweramp Music Converter Reference\x2122 13.3 Registered - ArcaneKnight\dMC-ref-codec-pack.exe 1
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@G:\Documents and Settings\Owner\My Documents\My Downloads\Torrents\Files\dBpoweramp Music Converter Reference\x2122 13.3 Registered - ArcaneKnight\dMC-R13.3-Ref-Registered.exe 1

---- EOF - GMER 1.0.15 ----

tashi
2010-09-07, 23:37
Hello AJC01,

I used Gmer.exe like Shaba said and got a log file which is listed below.

So that everyone is on the same track please see the forum FAQ which also includes instructions on posting a preliminary DDS log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Then start a new topic, copy paste the DDS log into it and a volunteer analyst will advise you when available. :)

Best regards.