-
hey again! sorry for the stupid question, but what is a rootkit? what does it do?
here is the gmer log:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-25 17:35:40
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB6BEB604]
SSDT 8A359480 ZwConnectPort
SSDT \SystemRoot\System32\drivers\77fec496.sys ZwCreateEvent [0xB6BDBC3F] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\drivers\77fec496.sys ZwCreateKey [0xB6BD9E05] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB6BEB99E]
SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB6BEB098]
SSDT spms.sys ZwEnumerateKey [0xBA6C6CA2] <-- ROOTKIT !!!
SSDT spms.sys ZwEnumerateValueKey [0xBA6C7030] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\drivers\77fec496.sys ZwOpenKey [0xB6BD9EB9] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB6BEAFD8]
SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB6BEB03C]
SSDT spms.sys ZwQueryKey [0xBA6C7108] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB6BEB6BA]
SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB6BEB67A]
SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB6BEB7FA]
INT 0x62 ? 8A5D0BF8
INT 0x74 ? 8A33CBF8
INT 0x82 ? 8A5D0BF8
INT 0x84 ? 8A33CBF8
INT 0x94 ? 8A33CBF8
---- Kernel code sections - GMER 1.0.14 ----
? spms.sys Systemet finner ikke angitt fil. !
.text USBPORT.SYS!DllUnload B98EA8AC 5 Bytes JMP 8A33C1D8
.text ag93zoy3.SYS B97A2384 1 Byte [ 20 ]
.text ag93zoy3.SYS B97A2386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text ag93zoy3.SYS B97A23AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text ag93zoy3.SYS B97A23C4 3 Bytes [ 00, 00, 00 ]
.text ag93zoy3.SYS B97A23C9 1 Byte [ 00 ]
.text ...
? C:\WINDOWS\System32\drivers\77fec496.sys Systemet finner ikke angitt fil.
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spms.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spms.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spms.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spms.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spms.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] spms.sys
IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\WINDOWS\system32\services.exe[1052] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
IAT C:\WINDOWS\system32\services.exe[1052] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 77fec496.sys
Device \FileSystem\Ntfs \Ntfs 8A5CF1F8
AttachedDevice \FileSystem\Ntfs \Ntfs aswmon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device \FileSystem\Udfs \UdfsCdRom 87A2E1F8
Device \FileSystem\Udfs \UdfsDisk 87A2E1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CE66B457-1F2E-49B3-9998-811FEFA1686B} 8A19D3B8
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip 77fec496.sys
AttachedDevice \Driver\Tcpip \Device\Ip aswrdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\NetBT \Device\NetBT_Tcpip_{B58B4655-3807-46B9-B069-AC59900A6DDD} 8A19D3B8
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
Device \Driver\usbuhci \Device\USBPDO-0 8A33B500
Device \Driver\usbuhci \Device\USBPDO-1 8A33B500
Device \Driver\usbuhci \Device\USBPDO-2 8A33B500
Device \Driver\usbuhci \Device\USBPDO-3 8A33B500
Device \Driver\usbehci \Device\USBPDO-4 8A30B500
AttachedDevice \Driver\Tcpip \Device\Tcp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp 77fec496.sys
AttachedDevice \Driver\Tcpip \Device\Tcp aswrdr.SYS (avast! TDI RDR Driver/ALWIL Software)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5601F8
Device \Driver\Cdrom \Device\CdRom0 8A2B61F8
Device \Driver\Cdrom \Device\CdRom1 8A2B61F8
Device \Driver\PCI_PNP4550 \Device\00000066 spms.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{E33E4100-FB16-4859-9688-1212FBC404BA} 8A19D3B8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A19D3B8
Device \Driver\NetBT \Device\NetbiosSmb 8A19D3B8
AttachedDevice \Driver\Tcpip \Device\Udp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp 77fec496.sys
AttachedDevice \Driver\Tcpip \Device\Udp aswrdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp 77fec496.sys
Device \Driver\usbuhci \Device\USBFDO-0 8A33B500
Device \Driver\usbuhci \Device\USBFDO-1 8A33B500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8937B500
Device \Driver\SYMTDI \Device\SymTDI 77fec496.sys
Device \Driver\usbuhci \Device\USBFDO-2 8A33B500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8937B500
Device \Driver\usbuhci \Device\USBFDO-3 8A33B500
Device \Driver\sptd \Device\4049795800 spms.sys
Device \Driver\usbehci \Device\USBFDO-4 8A30B500
Device \Driver\Ftdisk \Device\FtControl 8A5601F8
Device \Driver\ag93zoy3 \Device\Scsi\ag93zoy31 8A2AD1F8
Device \Driver\ag93zoy3 \Device\Scsi\ag93zoy31Port2Path0Target0Lun0 8A2AD1F8
Device \FileSystem\Cdfs \Cdfs 8A15A1F8
Device \FileSystem\Cdfs \Cdfs B5010BCE
---- Services - GMER 1.0.14 ----
Service C:\WINDOWS\System32\drivers\77fec496.sys (*** hidden *** ) [SYSTEM] 77fec496 <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\77fec496@ImagePath \SystemRoot\System32\drivers\77fec496.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\77fec496@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\77fec496@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\77fec496@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programfiler\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC8 0xDD 0x83 0xA1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE7 0x93 0x69 0xE6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x73 0xFD 0xA0 0x67 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programfiler\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC8 0xDD 0x83 0xA1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE7 0x93 0x69 0xE6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x3D 0x50 0xF0 0x4F ...
Reg HKLM\SYSTEM\ControlSet003\Services\77fec496@ImagePath \SystemRoot\System32\drivers\77fec496.sys
Reg HKLM\SYSTEM\ControlSet003\Services\77fec496@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\77fec496@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\77fec496@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programfiler\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC8 0xDD 0x83 0xA1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE7 0x93 0x69 0xE6 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x73 0xFD 0xA0 0x67 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x34 0x7E 0x09 0x20 ...
---- Files - GMER 1.0.14 ----
File C:\Programfiler\Alwil Software\Avast4\DATA\aswAr.run 0 bytes
---- EOF - GMER 1.0.14 ----
-
Here is something about rootkits.
Run gmer.exe
Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
Click Files... and browse to the following file:
C:\WINDOWS\System32\drivers\77fec496.sys
Now click Delete
Now click the Services tab. Click the entries in red one by one with your right mouse button and click Delete... Answer Yes to all the warning windows.
When you've removed all the Service entries in red, reboot your computer.
Re-run gmer and post back a fresh gmer log, please.
-
okey, i did what you said. But i got an error message when i restarted in gmer safe mode, and gmer did not open automaticaly. still, i started it manually and removed the file from the "files" list. There was only one red line under "services", it was the same 77fec file. this one could not be deletet, i just got an error message. Here is the new log:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-25 23:45:10
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB6C73604] <-- ROOTKIT !!!
SSDT 8A3CA468 ZwConnectPort
SSDT \SystemRoot\System32\drivers\77fec496.sys ZwCreateEvent [0xB6C3BC3F] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\drivers\77fec496.sys ZwCreateKey [0xB6C39E05] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB6C7399E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB6C73098] <-- ROOTKIT !!!
SSDT spic.sys ZwEnumerateKey [0xBA6C6CA2] <-- ROOTKIT !!!
SSDT spic.sys ZwEnumerateValueKey [0xBA6C7030] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\drivers\77fec496.sys ZwOpenKey [0xB6C39EB9] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB6C72FD8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB6C7303C] <-- ROOTKIT !!!
SSDT spic.sys ZwQueryKey [0xBA6C7108] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB6C736BA] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB6C7367A] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB6C737FA] <-- ROOTKIT !!!
INT 0x62 ? 8A5D0BF8
INT 0x74 ? 8A328BF8
INT 0x82 ? 8A5D0BF8
INT 0x84 ? 8A328BF8
INT 0x94 ? 8A328BF8
---- Kernel code sections - GMER 1.0.14 ----
? spic.sys Systemet finner ikke angitt fil. !
.text USBPORT.SYS!DllUnload B99358AC 5 Bytes JMP 8A3281D8
.text akzy6l73.SYS B97ED384 1 Byte [ 20 ]
.text akzy6l73.SYS B97ED386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text akzy6l73.SYS B97ED3AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text akzy6l73.SYS B97ED3C4 3 Bytes [ 00, 00, 00 ]
.text akzy6l73.SYS B97ED3C9 1 Byte [ 00 ]
.text ...
? C:\WINDOWS\System32\drivers\77fec496.sys Systemet finner ikke angitt fil.
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spic.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spic.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spic.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spic.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spic.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] spic.sys
IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\WINDOWS\system32\services.exe[1080] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
IAT C:\WINDOWS\system32\services.exe[1080] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 77fec496.sys
Device \FileSystem\Ntfs \Ntfs 8A5CF1F8
AttachedDevice \FileSystem\Ntfs \Ntfs aswmon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device \FileSystem\Udfs \UdfsCdRom 87B8C500
Device \FileSystem\Udfs \UdfsDisk 87B8C500
Device \Driver\NetBT \Device\NetBT_Tcpip_{CE66B457-1F2E-49B3-9998-811FEFA1686B} 8A34B500
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip 77fec496.sys
AttachedDevice \Driver\Tcpip \Device\Ip aswrdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\NetBT \Device\NetBT_Tcpip_{B58B4655-3807-46B9-B069-AC59900A6DDD} 8A34B500
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
Device \Driver\usbuhci \Device\USBPDO-0 8A3251F8
Device \Driver\usbuhci \Device\USBPDO-1 8A3251F8
Device \Driver\sptd \Device\491496408 spic.sys
Device \Driver\usbuhci \Device\USBPDO-2 8A3251F8
Device \Driver\usbuhci \Device\USBPDO-3 8A3251F8
Device \Driver\usbehci \Device\USBPDO-4 8A2F61F8
AttachedDevice \Driver\Tcpip \Device\Tcp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp 77fec496.sys
AttachedDevice \Driver\Tcpip \Device\Tcp aswrdr.SYS (avast! TDI RDR Driver/ALWIL Software)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5601F8
Device \Driver\Cdrom \Device\CdRom0 8A2511F8
Device \Driver\Cdrom \Device\CdRom1 8A2511F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E33E4100-FB16-4859-9688-1212FBC404BA} 8A34B500
Device \Driver\PCI_PNP5158 \Device\00000067 spic.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A34B500
Device \Driver\NetBT \Device\NetbiosSmb 8A34B500
AttachedDevice \Driver\Tcpip \Device\Udp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp 77fec496.sys
AttachedDevice \Driver\Tcpip \Device\Udp aswrdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp 77fec496.sys
Device \Driver\usbuhci \Device\USBFDO-0 8A3251F8
Device \Driver\usbuhci \Device\USBFDO-1 8A3251F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A1431F8
Device \Driver\SYMTDI \Device\SymTDI 77fec496.sys
Device \Driver\usbuhci \Device\USBFDO-2 8A3251F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A1431F8
Device \Driver\usbuhci \Device\USBFDO-3 8A3251F8
Device \Driver\usbehci \Device\USBFDO-4 8A2F61F8
Device \Driver\Ftdisk \Device\FtControl 8A5601F8
Device \Driver\akzy6l73 \Device\Scsi\akzy6l731Port2Path0Target0Lun0 8A241500
Device \Driver\akzy6l73 \Device\Scsi\akzy6l731 8A241500
Device \FileSystem\Cdfs \Cdfs 8A16F500
Device \FileSystem\Cdfs \Cdfs B5D5EBCE
---- Services - GMER 1.0.14 ----
Service C:\WINDOWS\System32\drivers\77fec496.sys (*** hidden *** ) [SYSTEM] 77fec496 <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\77fec496@ImagePath \SystemRoot\System32\drivers\77fec496.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\77fec496@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\77fec496@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\77fec496@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programfiler\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC8 0xDD 0x83 0xA1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE7 0x93 0x69 0xE6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x73 0xFD 0xA0 0x67 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programfiler\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC8 0xDD 0x83 0xA1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE7 0x93 0x69 0xE6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x3D 0x50 0xF0 0x4F ...
Reg HKLM\SYSTEM\ControlSet003\Services\77fec496@ImagePath \SystemRoot\System32\drivers\77fec496.sys
Reg HKLM\SYSTEM\ControlSet003\Services\77fec496@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\77fec496@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\77fec496@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programfiler\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC8 0xDD 0x83 0xA1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE7 0x93 0x69 0xE6 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x73 0xFD 0xA0 0x67 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x34 0x7E 0x09 0x20 ...
---- EOF - GMER 1.0.14 ----
-
Yes that is what I was afraid of.
I recommend that you next backup most important data on hard drive (documents, pictures and so.) because removal can be difficult and cause system malfunctioning.
After that:
Download Avenger by Swandog and unzip it to your Desktop.
Note: This program must be run from an account with Administrator priviledges.
- Open the Avenger folder and double click Avenger.exe to launch the program.
- Copy the text in the code box below and Paste it into the Input script here: box.
Code:
Files to delete:
C:\WINDOWS\System32\drivers\77fec496.sys
Drivers to delete:
77fec496
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Ensure the following:
- Scan for Rootkits is checked.
- Automatically disable any rootkits found is Unchecked.
- Press the Execute key.
- Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
- Post the log back here please. (it can also be found at C:\avenger.txt)
-
i see. how big is the risk of loosing anything? i'll probably get some dvds and make backup files later. i'll try avenger after that
-
Well I have heard that sometimes removal attempts of this infection might end up with computer which doesn't boot properly.
-
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.