Blade81 - Archive problem

[Jimbo1000]

Blade81,

Apologies, I've been away and just noticed you replied to my cry for help, but it's now archived here: http://forums.spybot.info/showthread.php?t=31500.

You asked me to download GMER which I've tried to do today but can't access their site. I'll keep trying with GMER (or should I try something else?)

Thanks.

[Jimbo1000]

Ok, managed to access GMER and scan as you suggested -here's the log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-12 22:31:38
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.14 ----

PAGE CLASSPNP.SYS!ClassInitialize + F4 F762842C 4 Bytes [ 56, 57, B4, 86 ]
PAGE CLASSPNP.SYS!ClassInitialize + FF F7628437 4 Bytes [ AC, 11, B4, 86 ]
PAGE CLASSPNP.SYS!ClassInitialize + 10A F7628442 4 Bytes [ 68, 57, B4, 86 ]
PAGE CLASSPNP.SYS!ClassInitialize + 111 F7628449 4 Bytes [ 5C, 57, B4, 86 ]
PAGE CLASSPNP.SYS!ClassInitialize + 118 F7628450 4 Bytes [ 62, 57, B4, 86 ]
PAGE ...

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3024] ADVAPI32.dll!CryptDestroyKey 77DE9E9C 7 Bytes JMP 01832B93
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] ADVAPI32.dll!CryptDecrypt 77DEA109 7 Bytes JMP 01832B50
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] ADVAPI32.dll!CryptEncrypt 77DEE340 7 Bytes JMP 01832B14
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A15AE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A16A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] WININET.dll!InternetCloseHandle 7805DA59 5 Bytes JMP 01833098
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] WININET.dll!HttpOpenRequestA 78064341 5 Bytes JMP 01832DD1
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] WININET.dll!InternetConnectA 7806499A 5 Bytes JMP 01832BAE
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] WININET.dll!InternetReadFile 7806ABB4 5 Bytes JMP 01833043
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 01832F11
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] WININET.dll!HttpSendRequestW 78080825 5 Bytes JMP 018339D8
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] CRYPT32.dll!CertGetCertificateChain 77A92F67 5 Bytes JMP 01833578
.text C:\Program Files\Internet Explorer\iexplore.exe[3024] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 5 Bytes JMP 01833581
.text C:\WINDOWS\Explorer.EXE[3268] ADVAPI32.dll!CryptDestroyKey 77DE9E9C 7 Bytes JMP 00DE2B93
.text C:\WINDOWS\Explorer.EXE[3268] ADVAPI32.dll!CryptDecrypt 77DEA109 7 Bytes JMP 00DE2B50
.text C:\WINDOWS\Explorer.EXE[3268] ADVAPI32.dll!CryptEncrypt 77DEE340 7 Bytes JMP 00DE2B14
.text C:\WINDOWS\Explorer.EXE[3268] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DE2AF9
.text C:\WINDOWS\Explorer.EXE[3268] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DE2985
.text C:\WINDOWS\Explorer.EXE[3268] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DE2A77
.text C:\WINDOWS\Explorer.EXE[3268] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DE29BD
.text C:\WINDOWS\Explorer.EXE[3268] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DE29F5

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Cdrom \Device\CdRom0 86B45756
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Disk \Device\Harddisk0\DR0 86B45756
Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Disk \Device\Harddisk1\DR3 86B45756
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+5 86B45756
Device \Driver\Disk \Device\Harddisk2\DR4 86B45756
Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+6 86B45756
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \FileSystem\Fastfat \Fat EBE07D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Threads - GMER 1.0.14 ----

Thread 4:464 86B848D0
Thread 4:468 86B71BE0
Thread 4:472 86BB9DF0
Thread 4:476 86B52110
Thread 4:1416 86B848D0
Thread 4:1420 86B71BE0
Thread 4:1424 86BB9DF0
Thread 4:1428 86B52110

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; malicious code @ sector 0xdf83cbd size 0x1fd
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.14 ----

[Blade81]

Unfortunately your log shows signs of a rootkit being present on your system.This means your PC is at risk now and sadly may always be.
The problem with rootkits is they are very hard to detect and extremely hard to remove completely.
Rootkits may also have what is known as a backdoor.The backdoor, if present, will give complete remote access to your system.This means someone will be able to steal any information stored on your PC including addresses, names and telephone numbers and more worryingly passwords, bank account details and any other financial information, basically they will have access to any data that you do.

At this point you have 2 options :-

OPTION 1

We attempt to remove the rootkit but will never really know if it is completely removed which means all the above applies.
There will be no guarantees with this option.

OPTION 2

We reformat your system.
This will destroy the rootkit but means you will have to reinstall everything.

My advice would be OPTION 2 It is the only safe, effective and positive way of dealing with this type of infection.
It will also be much quicker to reformat/reinstall than to attempt the removal.

I would like you to read the information over and when you have decided which option to choose post back and I will gladly assist with what ever route you choose to take.

[Jimbo1000]

Thanks for your reply, I don't really understand what a rootkit is but it sounds like bad news. If as you say, we can never be sure we are 'clean' I guess a reformat is the only answer, but I'm no computer expert so what does it entail and can your average Joe like me do it?

Is this rootkit likely to be the cause of the 'Advanced Visa Verification' pop-up and the regular IE crashes??

Thanks.

[Blade81]

If as you say, we can never be sure we are 'clean' I guess a reformat is the only answer, but I'm no computer expert so what does it entail and can your average Joe like me do it?

Hi

Check this great reformat tutorial by wng_z3r0.

Is this rootkit likely to be the cause of the 'Advanced Visa Verification' pop-up and the regular IE crashes??

This rootkit is used to hide those that are behind the symptoms you described.

[Jimbo1000]

Blade81,

Do I just follow the tutorial by wng_z3ro, or is there anything else I need to do/know?

Check this great reformat tutorial by wng_z3r0.


This rootkit is used to hide those that are behind the symptoms you described.[/QUOTE]

[Blade81]

Hi

If you're going to reformat that tutorial should give you all needed details

[Jimbo1000]

Ok, thanks Blade81 - wish me luck!

[Blade81]

Sure. Good luck

Let me know if you've got any other questions/when the topic can be closed.

[Blade81]

Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.