I think I am on the admin account. How do I switch?
WHen I go to log off or switch users it tells me there is only one account
Is there a better way to go to admin account?
I think I am on the admin account. How do I switch?
WHen I go to log off or switch users it tells me there is only one account
Is there a better way to go to admin account?
Then it is correct account.
Please download SWWhoami from this page and save it somewhere you like.
Launch Notepad, and copy/paste the box below into a new text file. Save it as Export.bat and save it in the same folder as where you saved SWWhoAmI.
Code:SWWHoAmI > output.txt Swwhoami /listusers >> output.txt Notepad Output.txt
Locate Export.bat in that folder and double-click on it. Notepad will open up with some text, please post that.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
How do I switch to admin?
When I go to switch users there is only one account.
If you have only one account it is most likely account with admin rights.
Please follow my previous instructions that we can find out
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
Username: SLAVIK\Owner
SID: S-1-5-21-1844237615-1220945662-682003330-1003
Days since last password change: 101
Privilege: 2 (USER_PRIV_ADMIN)
Home directory:
Comment: ''
Flags: 513 (UF_SCRIPT, UF_NORMAL_ACCOUNT)
Script path:
Operator privilege: 0 ()
Full name:
User comment: ''
Parms: ''
Workstations:
Last logon time: 08 September 2008 5:10:31 PM
Last logoff time: unknown
Account expires: never
Maximum discspace: unlimited
Units per week: 168
Logonhours: 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
Bad password count: 0
Total logins count: 266
Logonserver: \\*
Countrycode: 0
Codepage: 0
User ID: 1003
Primary Group ID: 513
Profile path:
Home directory:
Password is not expired
Groups: ----------------------------------------------------------------------
SLAVIK\None (S-1-5-21-1844237615-1220945662-682003330-513)
Everyone (S-1-1-0)
SLAVIK\Administrators (S-1-5-32-544)
SLAVIK\Users (S-1-5-32-545)
NT AUTHORITY\INTERACTIVE (S-1-5-4)
NT AUTHORITY\Authenticated Users (S-1-5-11)
<??> (S-1-5-5-0-85062)
LOCAL (S-1-2-0)
Privileges: ------------------------------------------------------------------
(0) SeTakeOwnershipPrivilege = Take ownership of files or other objects
(0) SeCreateTokenPrivilege = Create a token object
(0) SeAssignPrimaryTokenPrivilege = Replace a process level token
(0) SeLockMemoryPrivilege = Lock pages in memory
(0) SeIncreaseQuotaPrivilege = Adjust memory quotas for a process
(0) SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege
(0) SeMachineAccountPrivilege = Add workstations to domain
(0) SeTcbPrivilege = Act as part of the operating system
(0) SeSecurityPrivilege = Manage auditing and security log
(0) SeTakeOwnershipPrivilege = Take ownership of files or other objects
(X) SeLoadDriverPrivilege = Load and unload device drivers
(0) SeSystemProfilePrivilege = Profile system performance
(0) SeSystemtimePrivilege = Change the system time
(0) SeProfileSingleProcessPrivilege = Profile single process
(0) SeIncreaseBasePriorityPrivilege = Increase scheduling priority
(0) SeCreatePagefilePrivilege = Create a pagefile
(0) SeCreatePermanentPrivilege = Create permanent shared objects
(0) SeBackupPrivilege = Back up files and directories
(0) SeRestorePrivilege = Restore files and directories
(0) SeShutdownPrivilege = Shut down the system
(0) SeDebugPrivilege = Debug programs
(0) SeAuditPrivilege = Generate security audits
(0) SeSystemEnvironmentPrivilege = Modify firmware environment values
(X) SeChangeNotifyPrivilege = Bypass traverse checking
(0) SeRemoteShutdownPrivilege = Force shutdown from a remote system
(X) SeUndockPrivilege = Remove computer from docking station
(0) SeSyncAgentPrivilege = Synchronize directory service data
(0) SeEnableDelegationPrivilege = Enable computer and user accounts to be trusted for delegation
(0) SeManageVolumePrivilege = Perform volume maintenance tasks
(X) SeImpersonatePrivilege = Impersonate a client after authentication
(X) SeCreateGlobalPrivilege = Create global objects
Environment variables: -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SLAVIK
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\SLAVIK
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=SLAVIK
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
| ASPNET
| Guest (Disabled)
| HelpAssistant (Disabled)
Yes | Owner
| SUPPORT_388945a0 (Disabled)
That seems to be fine.
Let's check this next:
* Download GMER from
here:
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.
Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-09-09 10:31:21
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xAE2F2C8C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwConnectPort [0xAE2F23C4]
SSDT \SystemRoot\System32\drivers\51a3f7fb.sys ZwCreateEvent [0xAE10623F]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateFile [0xAE2F28A0]
SSDT \SystemRoot\System32\drivers\51a3f7fb.sys ZwCreateKey [0xAE104405]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreatePort [0xAE2F2080]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSection [0xAE2F4084]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xAE2F2E72]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateThread [0xAE2F1C50]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDeleteKey [0xAE2F30B8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDeleteValueKey [0xAE2F3268]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDuplicateObject [0xAE2F1B02]
SSDT sptd.sys ZwEnumerateKey [0xF7437FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF7438340]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwLoadDriver [0xAE2F3D24]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenFile [0xAE2F2AB0]
SSDT \SystemRoot\System32\drivers\51a3f7fb.sys ZwOpenKey [0xAE1044B9]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenProcess [0xAE2F1822]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenSection [0xAE2F2744]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenThread [0xAE2F19AA]
SSDT sptd.sys ZwQueryKey [0xF7438418]
SSDT sptd.sys ZwQueryValueKey [0xF7438298]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRenameKey [0xAE2F37F2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xAE2F2196]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSecureConnectPort [0xAE2F3AE6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetSystemInformation [0xAE2F3EC4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetValueKey [0xAE2F3602]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwShutdownSystem [0xAE2F25D2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSystemDebugControl [0xAE2F2638]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateProcess [0xAE2F1F4A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateThread [0xAE2F1E18]
---- Kernel code sections - GMER 1.0.14 ----
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F65E862C 5 Bytes JMP 86B7A770
? System32\Drivers\ar8v8idd.SYS The system cannot find the file specified. !
? C:\WINDOWS\System32\drivers\51a3f7fb.sys The system cannot find the file specified.
---- User code sections - GMER 1.0.14 ----
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4384] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4384] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4384] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4384] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4384] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4384] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15AE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4384] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4384] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7432AD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7432C1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7432B9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7433748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F743361E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F744829A] sptd.sys
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 51a3f7fb.sys
Device \FileSystem\Ntfs \Ntfs 86D601E8
Device \FileSystem\Fastfat \FatCdrom 869A71E8
Device \FileSystem\Udfs \UdfsCdRom 861421E8
Device \FileSystem\Udfs \UdfsDisk 861421E8
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip 51a3f7fb.sys
Device \Driver\cmdhlp \Device\CFPTcpFlt 51a3f7fb.sys
Device \Driver\usbuhci \Device\USBPDO-0 86B48790
Device \Driver\usbuhci \Device\USBPDO-1 86B48790
Device \Driver\usbehci \Device\USBPDO-2 86B49790
Device \Driver\cmdhlp \Device\CFPRawFlt 51a3f7fb.sys
Device \Driver\cmdhlp \Device\CFPUdpFlt 51a3f7fb.sys
Device \Driver\usbuhci \Device\USBPDO-3 86B48790
Device \Driver\usbuhci \Device\USBPDO-4 86B48790
Device \Driver\PCI_NTPNP2514 \Device\00000048 sptd.sys
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp 51a3f7fb.sys
Device \Driver\usbuhci \Device\USBPDO-5 86B48790
Device \Driver\usbuhci \Device\USBPDO-6 86B48790
Device \Driver\Ftdisk \Device\HarddiskVolume1 86DD21E8
Device \Driver\usbehci \Device\USBPDO-7 86B49790
Device \Driver\Cdrom \Device\CdRom0 86ACA790
Device \Driver\Cdrom \Device\CdRom1 86ACA790
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86D611E8
Device \Driver\atapi \Device\Ide\IdePort0 86D611E8
Device \Driver\atapi \Device\Ide\IdePort1 86D611E8
Device \Driver\atapi \Device\Ide\IdePort2 86D611E8
Device \Driver\atapi \Device\Ide\IdePort3 86D611E8
Device \Driver\atapi \Device\Ide\IdePort4 86D611E8
Device \Driver\atapi \Device\Ide\IdePort5 86D611E8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-12 86D611E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 861081E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7594DFD6-938A-43DB-9319-4820CFCA989D} 861081E8
Device \Driver\NetBT \Device\NetbiosSmb 861081E8
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp 51a3f7fb.sys
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp 51a3f7fb.sys
Device \Driver\cmdhlp \Device\cmdhlp 51a3f7fb.sys
Device \Driver\usbuhci \Device\USBFDO-0 86B48790
Device \Driver\usbuhci \Device\USBFDO-1 86B48790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86100790
Device \Driver\cmdhlp \Device\CFPIpFlt 51a3f7fb.sys
Device \Driver\usbehci \Device\USBFDO-2 86B49790
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86100790
Device \Driver\usbuhci \Device\USBFDO-3 86B48790
Device \Driver\usbuhci \Device\USBFDO-4 86B48790
Device \Driver\Ftdisk \Device\FtControl 86DD21E8
Device \Driver\usbuhci \Device\USBFDO-5 86B48790
Device \Driver\usbuhci \Device\USBFDO-6 86B48790
Device \Driver\usbehci \Device\USBFDO-7 86B49790
Device \Driver\ar8v8idd \Device\Scsi\ar8v8idd1 86A7A790
Device \Driver\ar8v8idd \Device\Scsi\ar8v8idd1 86995390
Device \Driver\ar8v8idd \Device\Scsi\ar8v8idd1Port6Path0Target0Lun0 86A7A790
Device \Driver\ar8v8idd \Device\Scsi\ar8v8idd1Port6Path0Target0Lun0 86995390
Device \FileSystem\Fastfat \Fat 869A71E8
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs 85FFE1E8
---- Services - GMER 1.0.14 ----
Service C:\WINDOWS\System32\drivers\51a3f7fb.sys (*** hidden *** ) [SYSTEM] 51a3f7fb <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\51a3f7fb@ImagePath \SystemRoot\System32\drivers\51a3f7fb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\51a3f7fb@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\51a3f7fb@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\51a3f7fb@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7D 0xBD 0x65 0x92 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x66 0x61 0x94 0x49 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBC 0xE6 0xAC 0xF6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\51a3f7fb@ImagePath \SystemRoot\System32\drivers\51a3f7fb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\51a3f7fb@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\51a3f7fb@Start 1
Reg HKLM\SYSTEM\ControlSet002\Services\51a3f7fb@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7D 0xBD 0x65 0x92 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x66 0x61 0x94 0x49 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBC 0xE6 0xAC 0xF6 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@appinit_dlls
---- EOF - GMER 1.0.14 ----
Yes we indeed have a rootkit there.
Run gmer.exe
Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
Click Files... and browse to the following file:
C:\WINDOWS\System32\drivers\51a3f7fb.sys
Now click Delete
Now click the Services tab. Click the entries in red one by one with your right mouse button and click Delete... Answer Yes to all the warning windows.
When you've removed all the Service entries in red, reboot your computer.
Re-run gmer.
Post back a fresh gmer log.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
Okay when I rebooted into the safe mode under gmer it rebooted my computer the gave me the message:
File gmer.dll could not be found
I was only able to click an "okay" button. After that the gmer screen didnt open up like you said it would. It seems my computer booted normally.
Do you want me to continue with the process?
Try to re-download gmer and try again, please.
If no success, we will delete rootkit by other means
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006