Page 4 of 7 FirstFirst 1234567 LastLast
Results 31 to 40 of 64

Thread: ***3 types of Virtumonde***

  1. #31
    Member
    Join Date
    May 2008
    Posts
    42

    Default

    I think I am on the admin account. How do I switch?
    WHen I go to log off or switch users it tells me there is only one account
    Is there a better way to go to admin account?

  2. #32
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Then it is correct account.

    Please download SWWhoami from this page and save it somewhere you like.

    Launch Notepad, and copy/paste the box below into a new text file. Save it as Export.bat and save it in the same folder as where you saved SWWhoAmI.


    Code:
    SWWHoAmI > output.txt
    Swwhoami /listusers >> output.txt
    Notepad Output.txt

    Locate Export.bat in that folder and double-click on it. Notepad will open up with some text, please post that.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #33
    Member
    Join Date
    May 2008
    Posts
    42

    Default

    How do I switch to admin?
    When I go to switch users there is only one account.

  4. #34
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    If you have only one account it is most likely account with admin rights.

    Please follow my previous instructions that we can find out
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #35
    Member
    Join Date
    May 2008
    Posts
    42

    Default

    Username: SLAVIK\Owner
    SID: S-1-5-21-1844237615-1220945662-682003330-1003
    Days since last password change: 101
    Privilege: 2 (USER_PRIV_ADMIN)
    Home directory:
    Comment: ''
    Flags: 513 (UF_SCRIPT, UF_NORMAL_ACCOUNT)
    Script path:
    Operator privilege: 0 ()
    Full name:
    User comment: ''
    Parms: ''
    Workstations:
    Last logon time: 08 September 2008 5:10:31 PM
    Last logoff time: unknown
    Account expires: never
    Maximum discspace: unlimited
    Units per week: 168
    Logonhours: 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
    0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
    0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
    Bad password count: 0
    Total logins count: 266
    Logonserver: \\*
    Countrycode: 0
    Codepage: 0
    User ID: 1003
    Primary Group ID: 513
    Profile path:
    Home directory:
    Password is not expired

    Groups: ----------------------------------------------------------------------
    SLAVIK\None (S-1-5-21-1844237615-1220945662-682003330-513)
    Everyone (S-1-1-0)
    SLAVIK\Administrators (S-1-5-32-544)
    SLAVIK\Users (S-1-5-32-545)
    NT AUTHORITY\INTERACTIVE (S-1-5-4)
    NT AUTHORITY\Authenticated Users (S-1-5-11)
    <??> (S-1-5-5-0-85062)
    LOCAL (S-1-2-0)

    Privileges: ------------------------------------------------------------------
    (0) SeTakeOwnershipPrivilege = Take ownership of files or other objects
    (0) SeCreateTokenPrivilege = Create a token object
    (0) SeAssignPrimaryTokenPrivilege = Replace a process level token
    (0) SeLockMemoryPrivilege = Lock pages in memory
    (0) SeIncreaseQuotaPrivilege = Adjust memory quotas for a process
    (0) SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege
    (0) SeMachineAccountPrivilege = Add workstations to domain
    (0) SeTcbPrivilege = Act as part of the operating system
    (0) SeSecurityPrivilege = Manage auditing and security log
    (0) SeTakeOwnershipPrivilege = Take ownership of files or other objects
    (X) SeLoadDriverPrivilege = Load and unload device drivers
    (0) SeSystemProfilePrivilege = Profile system performance
    (0) SeSystemtimePrivilege = Change the system time
    (0) SeProfileSingleProcessPrivilege = Profile single process
    (0) SeIncreaseBasePriorityPrivilege = Increase scheduling priority
    (0) SeCreatePagefilePrivilege = Create a pagefile
    (0) SeCreatePermanentPrivilege = Create permanent shared objects
    (0) SeBackupPrivilege = Back up files and directories
    (0) SeRestorePrivilege = Restore files and directories
    (0) SeShutdownPrivilege = Shut down the system
    (0) SeDebugPrivilege = Debug programs
    (0) SeAuditPrivilege = Generate security audits
    (0) SeSystemEnvironmentPrivilege = Modify firmware environment values
    (X) SeChangeNotifyPrivilege = Bypass traverse checking
    (0) SeRemoteShutdownPrivilege = Force shutdown from a remote system
    (X) SeUndockPrivilege = Remove computer from docking station
    (0) SeSyncAgentPrivilege = Synchronize directory service data
    (0) SeEnableDelegationPrivilege = Enable computer and user accounts to be trusted for delegation
    (0) SeManageVolumePrivilege = Perform volume maintenance tasks
    (X) SeImpersonatePrivilege = Impersonate a client after authentication
    (X) SeCreateGlobalPrivilege = Create global objects

    Environment variables: -------------------------------------------------------
    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\Owner\Application Data
    CLIENTNAME=Console
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=SLAVIK
    ComSpec=C:\WINDOWS\system32\cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\Owner
    LOGONSERVER=\\SLAVIK
    NUMBER_OF_PROCESSORS=2
    OS=Windows_NT
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
    PROCESSOR_LEVEL=6
    PROCESSOR_REVISION=0f06
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
    TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
    USERDOMAIN=SLAVIK
    USERNAME=Owner
    USERPROFILE=C:\Documents and Settings\Owner
    windir=C:\WINDOWS
    Users on this computer:
    Is Admin? | Username
    ------------------
    Yes | Administrator
    | ASPNET
    | Guest (Disabled)
    | HelpAssistant (Disabled)
    Yes | Owner
    | SUPPORT_388945a0 (Disabled)

  6. #36
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    That seems to be fine.

    Let's check this next:

    * Download GMER from
    here:
    Unzip it and start GMER.exe
    Click the rootkit-tab and click scan.

    Once done, click the Copy button.
    This will copy the results to clipboard.
    Paste the results in your next reply.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #37
    Member
    Join Date
    May 2008
    Posts
    42

    Default

    GMER 1.0.14.14536 - http://www.gmer.net
    Rootkit scan 2008-09-09 10:31:21
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.14 ----

    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xAE2F2C8C]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwConnectPort [0xAE2F23C4]
    SSDT \SystemRoot\System32\drivers\51a3f7fb.sys ZwCreateEvent [0xAE10623F]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateFile [0xAE2F28A0]
    SSDT \SystemRoot\System32\drivers\51a3f7fb.sys ZwCreateKey [0xAE104405]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreatePort [0xAE2F2080]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSection [0xAE2F4084]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xAE2F2E72]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateThread [0xAE2F1C50]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDeleteKey [0xAE2F30B8]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDeleteValueKey [0xAE2F3268]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDuplicateObject [0xAE2F1B02]
    SSDT sptd.sys ZwEnumerateKey [0xF7437FB2]
    SSDT sptd.sys ZwEnumerateValueKey [0xF7438340]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwLoadDriver [0xAE2F3D24]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenFile [0xAE2F2AB0]
    SSDT \SystemRoot\System32\drivers\51a3f7fb.sys ZwOpenKey [0xAE1044B9]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenProcess [0xAE2F1822]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenSection [0xAE2F2744]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenThread [0xAE2F19AA]
    SSDT sptd.sys ZwQueryKey [0xF7438418]
    SSDT sptd.sys ZwQueryValueKey [0xF7438298]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRenameKey [0xAE2F37F2]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xAE2F2196]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSecureConnectPort [0xAE2F3AE6]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetSystemInformation [0xAE2F3EC4]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetValueKey [0xAE2F3602]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwShutdownSystem [0xAE2F25D2]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSystemDebugControl [0xAE2F2638]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateProcess [0xAE2F1F4A]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateThread [0xAE2F1E18]

    ---- Kernel code sections - GMER 1.0.14 ----

    ? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
    .text USBPORT.SYS!DllUnload F65E862C 5 Bytes JMP 86B7A770
    ? System32\Drivers\ar8v8idd.SYS The system cannot find the file specified. !
    ? C:\WINDOWS\System32\drivers\51a3f7fb.sys The system cannot find the file specified.

    ---- User code sections - GMER 1.0.14 ----

    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4384] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4384] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4384] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4384] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4384] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4384] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15AE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4384] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4384] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

    ---- Kernel IAT/EAT - GMER 1.0.14 ----

    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7432AD4] sptd.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7432C1A] sptd.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7432B9C] sptd.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7433748] sptd.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F743361E] sptd.sys
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F744829A] sptd.sys
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F72A9950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A9990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F72A9710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F72A9770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

    ---- Devices - GMER 1.0.14 ----

    Device \FileSystem\Ntfs \Ntfs 51a3f7fb.sys
    Device \FileSystem\Ntfs \Ntfs 86D601E8
    Device \FileSystem\Fastfat \FatCdrom 869A71E8
    Device \FileSystem\Udfs \UdfsCdRom 861421E8
    Device \FileSystem\Udfs \UdfsDisk 861421E8

    AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\Ip 51a3f7fb.sys

    Device \Driver\cmdhlp \Device\CFPTcpFlt 51a3f7fb.sys
    Device \Driver\usbuhci \Device\USBPDO-0 86B48790
    Device \Driver\usbuhci \Device\USBPDO-1 86B48790
    Device \Driver\usbehci \Device\USBPDO-2 86B49790
    Device \Driver\cmdhlp \Device\CFPRawFlt 51a3f7fb.sys
    Device \Driver\cmdhlp \Device\CFPUdpFlt 51a3f7fb.sys
    Device \Driver\usbuhci \Device\USBPDO-3 86B48790
    Device \Driver\usbuhci \Device\USBPDO-4 86B48790
    Device \Driver\PCI_NTPNP2514 \Device\00000048 sptd.sys

    AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\Tcp 51a3f7fb.sys

    Device \Driver\usbuhci \Device\USBPDO-5 86B48790
    Device \Driver\usbuhci \Device\USBPDO-6 86B48790
    Device \Driver\Ftdisk \Device\HarddiskVolume1 86DD21E8
    Device \Driver\usbehci \Device\USBPDO-7 86B49790
    Device \Driver\Cdrom \Device\CdRom0 86ACA790
    Device \Driver\Cdrom \Device\CdRom1 86ACA790
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86D611E8
    Device \Driver\atapi \Device\Ide\IdePort0 86D611E8
    Device \Driver\atapi \Device\Ide\IdePort1 86D611E8
    Device \Driver\atapi \Device\Ide\IdePort2 86D611E8
    Device \Driver\atapi \Device\Ide\IdePort3 86D611E8
    Device \Driver\atapi \Device\Ide\IdePort4 86D611E8
    Device \Driver\atapi \Device\Ide\IdePort5 86D611E8
    Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-12 86D611E8
    Device \Driver\NetBT \Device\NetBt_Wins_Export 861081E8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{7594DFD6-938A-43DB-9319-4820CFCA989D} 861081E8
    Device \Driver\NetBT \Device\NetbiosSmb 861081E8

    AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\Udp 51a3f7fb.sys
    AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\RawIp 51a3f7fb.sys

    Device \Driver\cmdhlp \Device\cmdhlp 51a3f7fb.sys
    Device \Driver\usbuhci \Device\USBFDO-0 86B48790
    Device \Driver\usbuhci \Device\USBFDO-1 86B48790
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86100790
    Device \Driver\cmdhlp \Device\CFPIpFlt 51a3f7fb.sys
    Device \Driver\usbehci \Device\USBFDO-2 86B49790
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 86100790
    Device \Driver\usbuhci \Device\USBFDO-3 86B48790
    Device \Driver\usbuhci \Device\USBFDO-4 86B48790
    Device \Driver\Ftdisk \Device\FtControl 86DD21E8
    Device \Driver\usbuhci \Device\USBFDO-5 86B48790
    Device \Driver\usbuhci \Device\USBFDO-6 86B48790
    Device \Driver\usbehci \Device\USBFDO-7 86B49790
    Device \Driver\ar8v8idd \Device\Scsi\ar8v8idd1 86A7A790
    Device \Driver\ar8v8idd \Device\Scsi\ar8v8idd1 86995390
    Device \Driver\ar8v8idd \Device\Scsi\ar8v8idd1Port6Path0Target0Lun0 86A7A790
    Device \Driver\ar8v8idd \Device\Scsi\ar8v8idd1Port6Path0Target0Lun0 86995390
    Device \FileSystem\Fastfat \Fat 869A71E8

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs 85FFE1E8

    ---- Services - GMER 1.0.14 ----

    Service C:\WINDOWS\System32\drivers\51a3f7fb.sys (*** hidden *** ) [SYSTEM] 51a3f7fb <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.14 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\51a3f7fb@ImagePath \SystemRoot\System32\drivers\51a3f7fb.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\51a3f7fb@Type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\51a3f7fb@Start 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\51a3f7fb@ErrorControl 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7D 0xBD 0x65 0x92 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x66 0x61 0x94 0x49 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBC 0xE6 0xAC 0xF6 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\51a3f7fb@ImagePath \SystemRoot\System32\drivers\51a3f7fb.sys
    Reg HKLM\SYSTEM\ControlSet002\Services\51a3f7fb@Type 1
    Reg HKLM\SYSTEM\ControlSet002\Services\51a3f7fb@Start 1
    Reg HKLM\SYSTEM\ControlSet002\Services\51a3f7fb@ErrorControl 1
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7D 0xBD 0x65 0x92 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x66 0x61 0x94 0x49 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBC 0xE6 0xAC 0xF6 ...
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@appinit_dlls

    ---- EOF - GMER 1.0.14 ----

  8. #38
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Yes we indeed have a rootkit there.

    Run gmer.exe
    Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
    Click Files... and browse to the following file:
    C:\WINDOWS\System32\drivers\51a3f7fb.sys
    Now click Delete

    Now click the Services tab. Click the entries in red one by one with your right mouse button and click Delete... Answer Yes to all the warning windows.
    When you've removed all the Service entries in red, reboot your computer.

    Re-run gmer.

    Post back a fresh gmer log.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  9. #39
    Member
    Join Date
    May 2008
    Posts
    42

    Default

    Okay when I rebooted into the safe mode under gmer it rebooted my computer the gave me the message:
    File gmer.dll could not be found

    I was only able to click an "okay" button. After that the gmer screen didnt open up like you said it would. It seems my computer booted normally.

    Do you want me to continue with the process?

  10. #40
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Try to re-download gmer and try again, please.

    If no success, we will delete rootkit by other means
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •