Jump to content

Rootkit virus? GMER Log


Recommended Posts

I think I have rootkit virus? Because can't install any anti-virus program. Here is GMER Log:

I uncheked those:

* Sections

* IAT/EAT

* Drives/Partition other than Systemdrive (typically only C:\ should be checked)

* Show All (don't miss this one)

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-03-02 13:54:10

Windows 6.0.6002 Service Pack 2

Running: 4vhc6htp.exe; Driver: C:\Users\Tahveli\AppData\Local\Temp\uwldrfob.sys

---- System - GMER 1.0.15 ----

Code 85CEB130 ZwEnumerateKey

Code 864BD478 ZwFlushInstructionCache

Code 852867D5 IofCallDriver

Code 864F32BE IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84F15600

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\_VOIDssinettpco.sys (*** hidden *** ) 823B7000-823D5000 (122880 bytes)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [bOOT] qrzrtx <-- ROOTKIT !!!

Service C:\Windows\system32\drivers\_VOIDssinettpco.sys (*** hidden *** ) [sYSTEM] _VOIDd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\qrzrtx@Type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\qrzrtx@Start 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\qrzrtx@ErrorControl 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\qrzrtx@Group Boot Bus Extender

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDssinettpco.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDd \\?\globalroot\systemroot\system32\drivers\_VOIDssinettpco.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDc \\?\globalroot\systemroot\system32\_VOIDqrkpiivfvm.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_VOIDsrcr \\?\globalroot\systemroot\system32\_VOIDryxcvbtbwh.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_voidserf \\?\globalroot\systemroot\system32\_VOIDqpgxwpdwkn.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\_VOIDd.sys\modules@_voidbbr \\?\globalroot\systemroot\system32\_VOIDarijntaiwr.dll

Reg HKLM\SYSTEM\ControlSet002\Services\qrzrtx@Type 1

Reg HKLM\SYSTEM\ControlSet002\Services\qrzrtx@Start 0

Reg HKLM\SYSTEM\ControlSet002\Services\qrzrtx@ErrorControl 0

Reg HKLM\SYSTEM\ControlSet002\Services\qrzrtx@Group Boot Bus Extender

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@start 1

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@type 1

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@imagepath \systemroot\system32\drivers\_VOIDssinettpco.sys

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys@group file system

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDd \\?\globalroot\systemroot\system32\drivers\_VOIDssinettpco.sys

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDc \\?\globalroot\systemroot\system32\_VOIDqrkpiivfvm.dll

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_VOIDsrcr \\?\globalroot\systemroot\system32\_VOIDryxcvbtbwh.dat

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_voidserf \\?\globalroot\systemroot\system32\_VOIDqpgxwpdwkn.dll

Reg HKLM\SYSTEM\ControlSet002\Services\_VOIDd.sys\modules@_voidbbr \\?\globalroot\systemroot\system32\_VOIDarijntaiwr.dll

---- Files - GMER 1.0.15 ----

File C:\ProgramData\_VOIDkrl32mainweq.dll 431 bytes

File C:\ProgramData\_VOIDmainqt.dll 10767 bytes

File C:\Users\Tahveli\AppData\Local\Temp\_VOID64ae.tmp 679936 bytes executable

File C:\Users\Tahveli\AppData\Local\Temp\_VOID99c2.tmp 79360 bytes executable

File C:\Users\Tahveli\AppData\Local\Temp\_VOIDe501.tmp 79360 bytes executable

File C:\Users\Tahveli\AppData\Local\Temp\_VOIDefab.tmp 79360 bytes executable

File C:\WINDOWS\System32\drivers\_VOIDssinettpco.sys 42496 bytes executable <-- ROOTKIT !!!

File C:\WINDOWS\System32\_VOIDarijntaiwr.dll 49152 bytes executable

File C:\WINDOWS\System32\_VOIDqpgxwpdwkn.dll 49152 bytes executable

File C:\WINDOWS\System32\_VOIDqrkpiivfvm.dll 28160 bytes executable

File C:\WINDOWS\System32\_VOIDryxcvbtbwh.dat 248 bytes

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry

  1. Go HERE and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  2. Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  3. Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  4. Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  5. Make sure that at least the first two check boxes are ticked
  6. Press OK
  7. Press YES to create the folder.

For detailed instruction on how to back-up registry via ERUNT, please visit HERE

NEXT

Please download The Avenger by Swandog46 and unzip it to your Desktop

Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

Begin copying here:
Drivers to disable:
_VOIDd.sys
qrzrtx

Drivers to delete:
_VOIDd.sys
qrzrtx

Files to delete:
C:\ProgramData\_VOIDkrl32mainweq.dll
C:\ProgramData\_VOIDmainqt.dll
C:\Users\Tahveli\AppData\Local\Temp\_VOID64ae.tmp
C:\Users\Tahveli\AppData\Local\Temp\_VOID99c2.tmp
C:\Users\Tahveli\AppData\Local\Temp\_VOIDe501.tmp
C:\Users\Tahveli\AppData\Local\Temp\_VOIDefab.tmp
C:\WINDOWS\System32\drivers\_VOIDssinettpco.sys
C:\WINDOWS\System32\_VOIDarijntaiwr.dll
C:\WINDOWS\System32\_VOIDqpgxwpdwkn.dll
C:\WINDOWS\System32\_VOIDqrkpiivfvm.dll
C:\WINDOWS\System32\_VOIDryxcvbtbwh.dat

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  • Now, click on Execute. Just say Yes at every prompted

The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Please copy/paste the content of c:\avenger.txt into your reply.

NEXT

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Link to post
Share on other sites

Here is those two log. I think computer is OK again. Thank you for help.

L o g f i l e   o f   T h e   A v e n g e r   V e r s i o n   2 . 0 ,   ( c )   b y   S w a n d o g 4 6  
h t t p : / / s w a n d o g 4 6 . g e e k s t o g o . c o m

P l a t f o r m : W i n d o w s V i s t a

* * * * * * * * * * * * * * * * * * *

S c r i p t f i l e o p e n e d s u c c e s s f u l l y .
S c r i p t f i l e r e a d s u c c e s s f u l l y .

B a c k u p s d i r e c t o r y o p e n e d s u c c e s s f u l l y a t C : \ A v e n g e r

* * * * * * * * * * * * * * * * * * *

B e g i n n i n g t o p r o c e s s s c r i p t f i l e :

R o o t k i t s c a n a c t i v e .

H i d d e n d r i v e r " _ V O I D d . s y s " f o u n d !
I m a g e P a t h : \ s y s t e m r o o t \ s y s t e m 3 2 \ d r i v e r s \ _ V O I D s s i n e t t p c o . s y s
S t a r t T y p e : 4 ( D i s a b l e d )

R o o t k i t s c a n c o m p l e t e d .

D r i v e r " _ V O I D d . s y s " d i s a b l e d s u c c e s s f u l l y .
D r i v e r " q r z r t x " d i s a b l e d s u c c e s s f u l l y .
D r i v e r " _ V O I D d . s y s " d e l e t e d s u c c e s s f u l l y .
D r i v e r " q r z r t x " d e l e t e d s u c c e s s f u l l y .
F i l e " C : \ P r o g r a m D a t a \ _ V O I D k r l 3 2 m a i n w e q . d l l " d e l e t e d s u c c e s s f u l l y .
F i l e " C : \ P r o g r a m D a t a \ _ V O I D m a i n q t . d l l " d e l e t e d s u c c e s s f u l l y .
F i l e " C : \ U s e r s \ T a h v e l i \ A p p D a t a \ L o c a l \ T e m p \ _ V O I D 6 4 a e . t m p " d e l e t e d s u c c e s s f u l l y .

E r r o r : f i l e " C : \ U s e r s \ T a h v e l i \ A p p D a t a \ L o c a l \ T e m p \ _ V O I D 9 9 c 2 . t m p " n o t f o u n d !
D e l e t i o n o f f i l e " C : \ U s e r s \ T a h v e l i \ A p p D a t a \ L o c a l \ T e m p \ _ V O I D 9 9 c 2 . t m p " f a i l e d !
S t a t u s : 0 x c 0 0 0 0 0 3 4 ( S T A T U S _ O B J E C T _ N A M E _ N O T _ F O U N D )
- - > t h e o b j e c t d o e s n o t e x i s t


E r r o r : f i l e " C : \ U s e r s \ T a h v e l i \ A p p D a t a \ L o c a l \ T e m p \ _ V O I D e 5 0 1 . t m p " n o t f o u n d !
D e l e t i o n o f f i l e " C : \ U s e r s \ T a h v e l i \ A p p D a t a \ L o c a l \ T e m p \ _ V O I D e 5 0 1 . t m p " f a i l e d !
S t a t u s : 0 x c 0 0 0 0 0 3 4 ( S T A T U S _ O B J E C T _ N A M E _ N O T _ F O U N D )
- - > t h e o b j e c t d o e s n o t e x i s t


E r r o r : f i l e " C : \ U s e r s \ T a h v e l i \ A p p D a t a \ L o c a l \ T e m p \ _ V O I D e f a b . t m p " n o t f o u n d !
D e l e t i o n o f f i l e " C : \ U s e r s \ T a h v e l i \ A p p D a t a \ L o c a l \ T e m p \ _ V O I D e f a b . t m p " f a i l e d !
S t a t u s : 0 x c 0 0 0 0 0 3 4 ( S T A T U S _ O B J E C T _ N A M E _ N O T _ F O U N D )
- - > t h e o b j e c t d o e s n o t e x i s t

F i l e " C : \ W I N D O W S \ S y s t e m 3 2 \ d r i v e r s \ _ V O I D s s i n e t t p c o . s y s " d e l e t e d s u c c e s s f u l l y .

E r r o r : f i l e " C : \ W I N D O W S \ S y s t e m 3 2 \ _ V O I D a r i j n t a i w r . d l l " n o t f o u n d !
D e l e t i o n o f f i l e " C : \ W I N D O W S \ S y s t e m 3 2 \ _ V O I D a r i j n t a i w r . d l l " f a i l e d !
S t a t u s : 0 x c 0 0 0 0 0 3 4 ( S T A T U S _ O B J E C T _ N A M E _ N O T _ F O U N D )
- - > t h e o b j e c t d o e s n o t e x i s t


E r r o r : f i l e " C : \ W I N D O W S \ S y s t e m 3 2 \ _ V O I D q p g x w p d w k n . d l l " n o t f o u n d !
D e l e t i o n o f f i l e " C : \ W I N D O W S \ S y s t e m 3 2 \ _ V O I D q p g x w p d w k n . d l l " f a i l e d !
S t a t u s : 0 x c 0 0 0 0 0 3 4 ( S T A T U S _ O B J E C T _ N A M E _ N O T _ F O U N D )
- - > t h e o b j e c t d o e s n o t e x i s t

F i l e " C : \ W I N D O W S \ S y s t e m 3 2 \ _ V O I D q r k p i i v f v m . d l l " d e l e t e d s u c c e s s f u l l y .
F i l e " C : \ W I N D O W S \ S y s t e m 3 2 \ _ V O I D r y x c v b t b w h . d a t " d e l e t e d s u c c e s s f u l l y .

C o m p l e t e d s c r i p t p r o c e s s i n g .

* * * * * * * * * * * * * * * * * * *

F i n i s h e d ! T e r m i n a t e .

Malwarebytes' Anti-Malware 1.44
Database version: 3817
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

3.3.2010 12:14:04
mbam-log-2010-03-03 (12-13-35).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 342145
Time elapsed: 1 hour(s), 20 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 35

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\eventcreatexp.exe (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-8806228316-8600496697-869613069-2165\wnzip32.exe.virus (Worm.Autorun.B) -> No action taken.
C:\RECYCLER\S-1-5-21-2335471337-8436583433-782960300-2668\wnzip32.exe.virus (Worm.Autorun.B) -> No action taken.
C:\RECYCLER\S-1-5-21-2777631734-1881011406-523014947-0921\wnzip32.exe.virus (Worm.Autorun.B) -> No action taken.
C:\RECYCLER\S-1-5-21-3459388385-5761693502-359333067-4707\wnzip32.exe.virus (Worm.Autorun.B) -> No action taken.
C:\RECYCLER\S-1-5-21-4755373852-8752629987-012609405-0152\wnzip32.exe.virus (Worm.Autorun.B) -> No action taken.
C:\RECYCLER\S-1-5-21-5583481520-5969284517-244593183-4911\wnzip32.exe.virus (Worm.Autorun.B) -> No action taken.
C:\RECYCLER\S-1-5-21-5996618969-0355608426-735437543-2713\wnzip32.exe.virus (Worm.Autorun.B) -> No action taken.
C:\RECYCLER\S-1-5-21-6306898602-7056389419-599277870-0113\wnzip32.exe.virus (Worm.Autorun.B) -> No action taken.
C:\RECYCLER\S-1-5-21-6325957841-9423828855-401561587-8203\wnzip32.exe.virus (Worm.Autorun.B) -> No action taken.
C:\RECYCLER\S-1-5-21-6354825658-1226292393-206634250-9664\wnzip32.exe.virus (Worm.Autorun.B) -> No action taken.
C:\RECYCLER\S-1-5-21-8466344444-1523322945-766782666-3789\wnzip32.exe.virus (Worm.Autorun.B) -> No action taken.
C:\RECYCLER\S-1-5-21-9895841366-5193280517-782355289-7528\wnzip32.exe.virus (Worm.Autorun.B) -> No action taken.
C:\RECYCLER\S-1-5-21-9970446075-9088742706-679981906-0741\wnzip32.exe.virus (Worm.Autorun.B) -> No action taken.
C:\Users\Tahveli\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7HX34WUK\ycpxe[2].htm.virus (Malware.Packer.Gen) -> No action taken.
C:\Users\Tahveli\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BGY9TBZP\loaderadv563[1].exe.virus (Malware.Packer.Gen) -> No action taken.
C:\Users\Tahveli\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BGY9TBZP\r64winnt[1].exe.virus (Malware.Packer.Gen) -> No action taken.
C:\Users\Tahveli\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BGY9TBZP\zqksqlje[1].htm.virus (Malware.Packer.Gen) -> No action taken.
C:\Users\Tahveli\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3IFS99S\arzuoz[1].htm (Malware.Packer.Gen) -> No action taken.
C:\Users\Tahveli\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3IFS99S\ysautnmg[1].htm.virus (Malware.Packer.Gen) -> No action taken.
C:\Users\Tahveli\AppData\Local\Temp\_VOID99c2.tmp.virus (Malware.Packer.Gen) -> No action taken.
C:\Users\Tahveli\AppData\Local\Temp\_VOIDe501.tmp.virus (Malware.Packer.Gen) -> No action taken.
C:\Users\Tahveli\AppData\Local\Temp\_VOIDefab.tmp.virus (Malware.Packer.Gen) -> No action taken.
C:\Users\Tahveli\AppData\Roaming\hety.exe (Trojan.Dropper) -> No action taken.
C:\WINDOWS\System32\_VOIDarijntaiwr.dll.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\System32\_VOIDqpgxwpdwkn.dll.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\System32\drivers\qrzrtx.sys.virus (Rootkit.Agent) -> No action taken.
C:\WINDOWS\Temp\E53E7FB.tmp.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Temp\EBBED68.tmp.virus (Malware.Packer.Gen) -> No action taken.
C:\WINDOWS\Temp\TMP22EB.tmp.virus (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Temp\TMP73D3.tmp.virus (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Temp\TMP81FF.tmp.virus (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Temp\TMPA66B.tmp.virus (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Temp\TMPC9FF.tmp.virus (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Temp\TMPF7CC.tmp.virus (Trojan.FakeAlert) -> No action taken.
C:\ProgramData\mswintmp.dat (Malware.Trace) -> No action taken.

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.