Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: virtumondo on my laptop!

  1. #11
    Junior Member
    Join Date
    Nov 2008
    Posts
    8

    Default

    hey again! sorry for the stupid question, but what is a rootkit? what does it do?

    here is the gmer log:


    GMER 1.0.14.14536 - http://www.gmer.net
    Rootkit scan 2008-11-25 17:35:40
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.14 ----

    SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB6BEB604]
    SSDT 8A359480 ZwConnectPort
    SSDT \SystemRoot\System32\drivers\77fec496.sys ZwCreateEvent [0xB6BDBC3F] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\drivers\77fec496.sys ZwCreateKey [0xB6BD9E05] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB6BEB99E]
    SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB6BEB098]
    SSDT spms.sys ZwEnumerateKey [0xBA6C6CA2] <-- ROOTKIT !!!
    SSDT spms.sys ZwEnumerateValueKey [0xBA6C7030] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\drivers\77fec496.sys ZwOpenKey [0xB6BD9EB9] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB6BEAFD8]
    SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB6BEB03C]
    SSDT spms.sys ZwQueryKey [0xBA6C7108] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB6BEB6BA]
    SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB6BEB67A]
    SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB6BEB7FA]

    INT 0x62 ? 8A5D0BF8
    INT 0x74 ? 8A33CBF8
    INT 0x82 ? 8A5D0BF8
    INT 0x84 ? 8A33CBF8
    INT 0x94 ? 8A33CBF8

    ---- Kernel code sections - GMER 1.0.14 ----

    ? spms.sys Systemet finner ikke angitt fil. !
    .text USBPORT.SYS!DllUnload B98EA8AC 5 Bytes JMP 8A33C1D8
    .text ag93zoy3.SYS B97A2384 1 Byte [ 20 ]
    .text ag93zoy3.SYS B97A2386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
    .text ag93zoy3.SYS B97A23AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
    .text ag93zoy3.SYS B97A23C4 3 Bytes [ 00, 00, 00 ]
    .text ag93zoy3.SYS B97A23C9 1 Byte [ 00 ]
    .text ...
    ? C:\WINDOWS\System32\drivers\77fec496.sys Systemet finner ikke angitt fil.

    ---- Kernel IAT/EAT - GMER 1.0.14 ----

    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spms.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spms.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spms.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spms.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spms.sys
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] spms.sys
    IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
    IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
    IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
    IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!KfRaiseIrql] 000000AF
    IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!KfLowerIrql] 0000009C
    IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!HalGetInterruptVector] 000000A4
    IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!HalTranslateBusAddress] 00000072
    IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
    IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
    IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
    IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!READ_PORT_USHORT] 00000093
    IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
    IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
    IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
    IAT \SystemRoot\System32\Drivers\ag93zoy3.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC

    ---- User IAT/EAT - GMER 1.0.14 ----

    IAT C:\WINDOWS\system32\services.exe[1052] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
    IAT C:\WINDOWS\system32\services.exe[1052] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000

    ---- Devices - GMER 1.0.14 ----

    Device \FileSystem\Ntfs \Ntfs 77fec496.sys
    Device \FileSystem\Ntfs \Ntfs 8A5CF1F8

    AttachedDevice \FileSystem\Ntfs \Ntfs aswmon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
    AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

    Device \FileSystem\Udfs \UdfsCdRom 87A2E1F8
    Device \FileSystem\Udfs \UdfsDisk 87A2E1F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{CE66B457-1F2E-49B3-9998-811FEFA1686B} 8A19D3B8

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip 77fec496.sys
    AttachedDevice \Driver\Tcpip \Device\Ip aswrdr.SYS (avast! TDI RDR Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\NetBT \Device\NetBT_Tcpip_{B58B4655-3807-46B9-B069-AC59900A6DDD} 8A19D3B8

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device \Driver\usbuhci \Device\USBPDO-0 8A33B500
    Device \Driver\usbuhci \Device\USBPDO-1 8A33B500
    Device \Driver\usbuhci \Device\USBPDO-2 8A33B500
    Device \Driver\usbuhci \Device\USBPDO-3 8A33B500
    Device \Driver\usbehci \Device\USBPDO-4 8A30B500

    AttachedDevice \Driver\Tcpip \Device\Tcp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp 77fec496.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp aswrdr.SYS (avast! TDI RDR Driver/ALWIL Software)

    Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5601F8
    Device \Driver\Cdrom \Device\CdRom0 8A2B61F8
    Device \Driver\Cdrom \Device\CdRom1 8A2B61F8
    Device \Driver\PCI_PNP4550 \Device\00000066 spms.sys
    Device \Driver\NetBT \Device\NetBT_Tcpip_{E33E4100-FB16-4859-9688-1212FBC404BA} 8A19D3B8
    Device \Driver\NetBT \Device\NetBt_Wins_Export 8A19D3B8
    Device \Driver\NetBT \Device\NetbiosSmb 8A19D3B8

    AttachedDevice \Driver\Tcpip \Device\Udp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp 77fec496.sys
    AttachedDevice \Driver\Tcpip \Device\Udp aswrdr.SYS (avast! TDI RDR Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp 77fec496.sys

    Device \Driver\usbuhci \Device\USBFDO-0 8A33B500
    Device \Driver\usbuhci \Device\USBFDO-1 8A33B500
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8937B500
    Device \Driver\SYMTDI \Device\SymTDI 77fec496.sys
    Device \Driver\usbuhci \Device\USBFDO-2 8A33B500
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 8937B500
    Device \Driver\usbuhci \Device\USBFDO-3 8A33B500
    Device \Driver\sptd \Device\4049795800 spms.sys
    Device \Driver\usbehci \Device\USBFDO-4 8A30B500
    Device \Driver\Ftdisk \Device\FtControl 8A5601F8
    Device \Driver\ag93zoy3 \Device\Scsi\ag93zoy31 8A2AD1F8
    Device \Driver\ag93zoy3 \Device\Scsi\ag93zoy31Port2Path0Target0Lun0 8A2AD1F8
    Device \FileSystem\Cdfs \Cdfs 8A15A1F8
    Device \FileSystem\Cdfs \Cdfs B5010BCE

    ---- Services - GMER 1.0.14 ----

    Service C:\WINDOWS\System32\drivers\77fec496.sys (*** hidden *** ) [SYSTEM] 77fec496 <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.14 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\77fec496@ImagePath \SystemRoot\System32\drivers\77fec496.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\77fec496@Type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\77fec496@Start 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\77fec496@ErrorControl 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programfiler\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC8 0xDD 0x83 0xA1 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE7 0x93 0x69 0xE6 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x73 0xFD 0xA0 0x67 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programfiler\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC8 0xDD 0x83 0xA1 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE7 0x93 0x69 0xE6 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x3D 0x50 0xF0 0x4F ...
    Reg HKLM\SYSTEM\ControlSet003\Services\77fec496@ImagePath \SystemRoot\System32\drivers\77fec496.sys
    Reg HKLM\SYSTEM\ControlSet003\Services\77fec496@Type 1
    Reg HKLM\SYSTEM\ControlSet003\Services\77fec496@Start 1
    Reg HKLM\SYSTEM\ControlSet003\Services\77fec496@ErrorControl 1
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programfiler\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC8 0xDD 0x83 0xA1 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE7 0x93 0x69 0xE6 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x73 0xFD 0xA0 0x67 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
    Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x34 0x7E 0x09 0x20 ...

    ---- Files - GMER 1.0.14 ----

    File C:\Programfiler\Alwil Software\Avast4\DATA\aswAr.run 0 bytes

    ---- EOF - GMER 1.0.14 ----

  2. #12
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Here is something about rootkits.

    Run gmer.exe
    Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
    Click Files... and browse to the following file:
    C:\WINDOWS\System32\drivers\77fec496.sys
    Now click Delete

    Now click the Services tab. Click the entries in red one by one with your right mouse button and click Delete... Answer Yes to all the warning windows.
    When you've removed all the Service entries in red, reboot your computer.

    Re-run gmer and post back a fresh gmer log, please.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #13
    Junior Member
    Join Date
    Nov 2008
    Posts
    8

    Default

    okey, i did what you said. But i got an error message when i restarted in gmer safe mode, and gmer did not open automaticaly. still, i started it manually and removed the file from the "files" list. There was only one red line under "services", it was the same 77fec file. this one could not be deletet, i just got an error message. Here is the new log:

    GMER 1.0.14.14536 - http://www.gmer.net
    Rootkit scan 2008-11-25 23:45:10
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.14 ----

    SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB6C73604] <-- ROOTKIT !!!
    SSDT 8A3CA468 ZwConnectPort
    SSDT \SystemRoot\System32\drivers\77fec496.sys ZwCreateEvent [0xB6C3BC3F] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\drivers\77fec496.sys ZwCreateKey [0xB6C39E05] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB6C7399E] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB6C73098] <-- ROOTKIT !!!
    SSDT spic.sys ZwEnumerateKey [0xBA6C6CA2] <-- ROOTKIT !!!
    SSDT spic.sys ZwEnumerateValueKey [0xBA6C7030] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\drivers\77fec496.sys ZwOpenKey [0xB6C39EB9] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB6C72FD8] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB6C7303C] <-- ROOTKIT !!!
    SSDT spic.sys ZwQueryKey [0xBA6C7108] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB6C736BA] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB6C7367A] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\Drivers\aswsp.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB6C737FA] <-- ROOTKIT !!!

    INT 0x62 ? 8A5D0BF8
    INT 0x74 ? 8A328BF8
    INT 0x82 ? 8A5D0BF8
    INT 0x84 ? 8A328BF8
    INT 0x94 ? 8A328BF8

    ---- Kernel code sections - GMER 1.0.14 ----

    ? spic.sys Systemet finner ikke angitt fil. !
    .text USBPORT.SYS!DllUnload B99358AC 5 Bytes JMP 8A3281D8
    .text akzy6l73.SYS B97ED384 1 Byte [ 20 ]
    .text akzy6l73.SYS B97ED386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
    .text akzy6l73.SYS B97ED3AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
    .text akzy6l73.SYS B97ED3C4 3 Bytes [ 00, 00, 00 ]
    .text akzy6l73.SYS B97ED3C9 1 Byte [ 00 ]
    .text ...
    ? C:\WINDOWS\System32\drivers\77fec496.sys Systemet finner ikke angitt fil.

    ---- Kernel IAT/EAT - GMER 1.0.14 ----

    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spic.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spic.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spic.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spic.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spic.sys
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] spic.sys
    IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
    IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
    IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
    IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!KfRaiseIrql] 000000AF
    IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!KfLowerIrql] 0000009C
    IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!HalGetInterruptVector] 000000A4
    IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!HalTranslateBusAddress] 00000072
    IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
    IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
    IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
    IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!READ_PORT_USHORT] 00000093
    IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
    IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
    IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
    IAT \SystemRoot\System32\Drivers\akzy6l73.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC

    ---- User IAT/EAT - GMER 1.0.14 ----

    IAT C:\WINDOWS\system32\services.exe[1080] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
    IAT C:\WINDOWS\system32\services.exe[1080] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000

    ---- Devices - GMER 1.0.14 ----

    Device \FileSystem\Ntfs \Ntfs 77fec496.sys
    Device \FileSystem\Ntfs \Ntfs 8A5CF1F8

    AttachedDevice \FileSystem\Ntfs \Ntfs aswmon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
    AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

    Device \FileSystem\Udfs \UdfsCdRom 87B8C500
    Device \FileSystem\Udfs \UdfsDisk 87B8C500
    Device \Driver\NetBT \Device\NetBT_Tcpip_{CE66B457-1F2E-49B3-9998-811FEFA1686B} 8A34B500

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip 77fec496.sys
    AttachedDevice \Driver\Tcpip \Device\Ip aswrdr.SYS (avast! TDI RDR Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\NetBT \Device\NetBT_Tcpip_{B58B4655-3807-46B9-B069-AC59900A6DDD} 8A34B500

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device \Driver\usbuhci \Device\USBPDO-0 8A3251F8
    Device \Driver\usbuhci \Device\USBPDO-1 8A3251F8
    Device \Driver\sptd \Device\491496408 spic.sys
    Device \Driver\usbuhci \Device\USBPDO-2 8A3251F8
    Device \Driver\usbuhci \Device\USBPDO-3 8A3251F8
    Device \Driver\usbehci \Device\USBPDO-4 8A2F61F8

    AttachedDevice \Driver\Tcpip \Device\Tcp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp 77fec496.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp aswrdr.SYS (avast! TDI RDR Driver/ALWIL Software)

    Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5601F8
    Device \Driver\Cdrom \Device\CdRom0 8A2511F8
    Device \Driver\Cdrom \Device\CdRom1 8A2511F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{E33E4100-FB16-4859-9688-1212FBC404BA} 8A34B500
    Device \Driver\PCI_PNP5158 \Device\00000067 spic.sys
    Device \Driver\NetBT \Device\NetBt_Wins_Export 8A34B500
    Device \Driver\NetBT \Device\NetbiosSmb 8A34B500

    AttachedDevice \Driver\Tcpip \Device\Udp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp 77fec496.sys
    AttachedDevice \Driver\Tcpip \Device\Udp aswrdr.SYS (avast! TDI RDR Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp 77fec496.sys

    Device \Driver\usbuhci \Device\USBFDO-0 8A3251F8
    Device \Driver\usbuhci \Device\USBFDO-1 8A3251F8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A1431F8
    Device \Driver\SYMTDI \Device\SymTDI 77fec496.sys
    Device \Driver\usbuhci \Device\USBFDO-2 8A3251F8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A1431F8
    Device \Driver\usbuhci \Device\USBFDO-3 8A3251F8
    Device \Driver\usbehci \Device\USBFDO-4 8A2F61F8
    Device \Driver\Ftdisk \Device\FtControl 8A5601F8
    Device \Driver\akzy6l73 \Device\Scsi\akzy6l731Port2Path0Target0Lun0 8A241500
    Device \Driver\akzy6l73 \Device\Scsi\akzy6l731 8A241500
    Device \FileSystem\Cdfs \Cdfs 8A16F500
    Device \FileSystem\Cdfs \Cdfs B5D5EBCE

    ---- Services - GMER 1.0.14 ----

    Service C:\WINDOWS\System32\drivers\77fec496.sys (*** hidden *** ) [SYSTEM] 77fec496 <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.14 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\77fec496@ImagePath \SystemRoot\System32\drivers\77fec496.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\77fec496@Type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\77fec496@Start 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\77fec496@ErrorControl 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programfiler\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC8 0xDD 0x83 0xA1 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE7 0x93 0x69 0xE6 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x73 0xFD 0xA0 0x67 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programfiler\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC8 0xDD 0x83 0xA1 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE7 0x93 0x69 0xE6 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x3D 0x50 0xF0 0x4F ...
    Reg HKLM\SYSTEM\ControlSet003\Services\77fec496@ImagePath \SystemRoot\System32\drivers\77fec496.sys
    Reg HKLM\SYSTEM\ControlSet003\Services\77fec496@Type 1
    Reg HKLM\SYSTEM\ControlSet003\Services\77fec496@Start 1
    Reg HKLM\SYSTEM\ControlSet003\Services\77fec496@ErrorControl 1
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programfiler\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC8 0xDD 0x83 0xA1 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE7 0x93 0x69 0xE6 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x73 0xFD 0xA0 0x67 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
    Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x34 0x7E 0x09 0x20 ...

    ---- EOF - GMER 1.0.14 ----

  4. #14
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Yes that is what I was afraid of.

    I recommend that you next backup most important data on hard drive (documents, pictures and so.) because removal can be difficult and cause system malfunctioning.

    After that:

    Download Avenger by Swandog and unzip it to your Desktop.

    Note: This program must be run from an account with Administrator priviledges.

    • Open the Avenger folder and double click Avenger.exe to launch the program.
    • Copy the text in the code box below and Paste it into the Input script here: box.

    Code:
    Files to delete:
    C:\WINDOWS\System32\drivers\77fec496.sys
    
    Drivers to delete:
    77fec496
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    • Ensure the following:
      • Scan for Rootkits is checked.
      • Automatically disable any rootkits found is Unchecked.
    • Press the Execute key.
    • Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
    • Post the log back here please. (it can also be found at C:\avenger.txt)
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #15
    Junior Member
    Join Date
    Nov 2008
    Posts
    8

    Default

    i see. how big is the risk of loosing anything? i'll probably get some dvds and make backup files later. i'll try avenger after that

  6. #16
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Well I have heard that sometimes removal attempts of this infection might end up with computer which doesn't boot properly.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #17
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Due to the lack of feedback this Topic is closed.

    If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

    If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

    Everyone else please begin a New Topic.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •