backdoor.bot + trojan + spyware
- Thread starter glors006
- Start date
MER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-09 00:17:16
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Mary\AppData\Local\Temp\pxldypob.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----
Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0A823FCE-A66C-45AF-A468-B62ED9C87656}\mpengine.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [928] 0x68AA0000
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\Connections@ClassManagers {B4C8DF59-D16F-4042-80B7-3557A254B7C5}?{BA126AD3-2166-11D1-B1D0-00805FC1270E}?{BA126AD5-2166-11D1-B1D0-00805FC1270E}?{BA126ADD-2166-11D1-B1D0-00805FC1270E}?{BA126AE0-2166-11D1-B1D0-00805FC1270E}?
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg@Description Registry Server
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Server Applications?Software\Microsoft\Windows NT\CurrentVersion?
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion\Print?Software\Microsoft\Windows NT\CurrentVersion\Windows?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?Software\Microsoft\Windows NT\CurrentVersion\Perflib?System\CurrentControlSet\Services\SysmonLog?
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger@Status 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@GUID {15BC788A-6A38-4D79-8773-B53FDFB84D79}
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@MaxFileSize 5
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@LogFileMode 32770
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@ClockType 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@FileName %SystemRoot%\System32\LogFiles\Audio\AudioSrv.Evm
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@FileMax 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@Status 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio\{E27950EB-1768-451F-96AC-CC4E14F6D3D0}
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio\{E27950EB-1768-451F-96AC-CC4E14F6D3D0}@Enabled 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio\{E27950EB-1768-451F-96AC-CC4E14F6D3D0}@MatchAnyKeyword 0xFF 0xFF 0xFF 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio\{E27950EB-1768-451F-96AC-CC4E14F6D3D0}@EnableLevel 4
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@BufferSize 64
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@GUID {54dea73a-ed1f-42a4-af71-3e63d056f174}
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@LogFileMode 1152
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@MaximumBuffers 64
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@MinimumBuffers 64
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@Status 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@EnableKernelFlags 0x0F 0x23 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@BufferSize 16
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@FlushTimer 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@GUID {08b524eb-a2bf-47eb-aef1-dbd871741d7a}
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@LogFileMode 384
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@MaximumBuffers 22
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@Status 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@BufferSize 64
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@MinimumBuffers 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@MaximumBuffers 64
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@FlushTimer 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@Age 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@LogFileMode 16777600
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@ClockType 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@Guid {639eade2-9051-5ddc-d208-b51afd9e984b}
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@OwningChannel Application
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@Status
Rootkit scan 2010-03-09 00:17:16
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Mary\AppData\Local\Temp\pxldypob.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----
Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0A823FCE-A66C-45AF-A468-B62ED9C87656}\mpengine.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [928] 0x68AA0000
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\Connections@ClassManagers {B4C8DF59-D16F-4042-80B7-3557A254B7C5}?{BA126AD3-2166-11D1-B1D0-00805FC1270E}?{BA126AD5-2166-11D1-B1D0-00805FC1270E}?{BA126ADD-2166-11D1-B1D0-00805FC1270E}?{BA126AE0-2166-11D1-B1D0-00805FC1270E}?
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg@Description Registry Server
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Server Applications?Software\Microsoft\Windows NT\CurrentVersion?
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion\Print?Software\Microsoft\Windows NT\CurrentVersion\Windows?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?Software\Microsoft\Windows NT\CurrentVersion\Perflib?System\CurrentControlSet\Services\SysmonLog?
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger@Status 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@GUID {15BC788A-6A38-4D79-8773-B53FDFB84D79}
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@MaxFileSize 5
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@LogFileMode 32770
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@ClockType 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@FileName %SystemRoot%\System32\LogFiles\Audio\AudioSrv.Evm
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@FileMax 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio@Status 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio\{E27950EB-1768-451F-96AC-CC4E14F6D3D0}
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio\{E27950EB-1768-451F-96AC-CC4E14F6D3D0}@Enabled 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio\{E27950EB-1768-451F-96AC-CC4E14F6D3D0}@MatchAnyKeyword 0xFF 0xFF 0xFF 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio\{E27950EB-1768-451F-96AC-CC4E14F6D3D0}@EnableLevel 4
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@BufferSize 64
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@GUID {54dea73a-ed1f-42a4-af71-3e63d056f174}
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@LogFileMode 1152
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@MaximumBuffers 64
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@MinimumBuffers 64
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@Status 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@EnableKernelFlags 0x0F 0x23 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@BufferSize 16
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@FlushTimer 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@GUID {08b524eb-a2bf-47eb-aef1-dbd871741d7a}
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@LogFileMode 384
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@MaximumBuffers 22
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog@Status 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@BufferSize 64
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@MinimumBuffers 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@MaximumBuffers 64
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@FlushTimer 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@Age 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@LogFileMode 16777600
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@ClockType 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@Guid {639eade2-9051-5ddc-d208-b51afd9e984b}
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@OwningChannel Application
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application@Status
root kits wouldnt be detected by the standard anti-malware/AV. So based on the Gmer log I would use the machine as little as possible Yes you can send the log as a attachment or Email it to me, (echoreply(at)hotmaildot(com)
either way. In any case it will involve another download for the root kit activity. In fact i havent seen the log but you may as well download and run TDSSkiller.
Good advice for root kit activity is to reformat/reinstall Windows. The root kit was the cause of the re-directs but they can easily have other functions.
TDSSkiller:
Download TDSSkillerto your desktop, extract the files to your desktop. after extraction It should appear as a folder called tdsskiller on your desktop. Inside the folder is the tdsskiller.exe and the EULA. Drag/move the tdsskiller file from the folder on the desktop to the Local Disk (C)
Run as an administrator with UAC disabled.
Go to start>run and copy/paste whats below.
To get run you might switch to the classical view. Right click on the task bar at bottom.properties>start menu tab>select classic menu> click apply, ok
Copy/paste in Run then click the ok button:
"c:\TDSSKiller.exe" -l tdsskiller.txt
A window will open press any key to continue, if prompted please reboot your computer. It will generate a tdsskiller txt file in your root C, Local Disk. Please post the txt file.
how to disable UAC in Vista:
Disable UAC in Vista
either way. In any case it will involve another download for the root kit activity. In fact i havent seen the log but you may as well download and run TDSSkiller.
Good advice for root kit activity is to reformat/reinstall Windows. The root kit was the cause of the re-directs but they can easily have other functions.
TDSSkiller:
Download TDSSkillerto your desktop, extract the files to your desktop. after extraction It should appear as a folder called tdsskiller on your desktop. Inside the folder is the tdsskiller.exe and the EULA. Drag/move the tdsskiller file from the folder on the desktop to the Local Disk (C)
Run as an administrator with UAC disabled.
Go to start>run and copy/paste whats below.
To get run you might switch to the classical view. Right click on the task bar at bottom.properties>start menu tab>select classic menu> click apply, ok
Copy/paste in Run then click the ok button:
"c:\TDSSKiller.exe" -l tdsskiller.txt
A window will open press any key to continue, if prompted please reboot your computer. It will generate a tdsskiller txt file in your root C, Local Disk. Please post the txt file.
how to disable UAC in Vista:
Disable UAC in Vista
Last edited:
tashi
Member of Team Spybot
This thread has been closed due to inactivity.
As it has been four days or more since your last post, it will not be re-opened.
If you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread.
Please do not add any logs that might have been requested previously, you would be starting fresh.
Applies only to the original poster, anyone else with similar problems please start your own topic.
Thank you shelf life.
As it has been four days or more since your last post, it will not be re-opened.
If you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread.
Please do not add any logs that might have been requested previously, you would be starting fresh.
Applies only to the original poster, anyone else with similar problems please start your own topic.
Thank you shelf life.