Jump to content

rootkit installed as legacy device


Recommended Posts

hi there,

i got myself some kind of rootkit 2 days ago, superantispyware detected it as rootkit, and also some files were tagged as a mundo variant

i cleaned most of it with that program but then my computer started crashing (acpi.sys error) about half of the time while its booting up to windows 7

suspecting some infection left, i ran combofix and malwarebytes anti malware. and There is something left :

System32\Drivers\uffypnmr.sys, installed as a legacy driver in the registry

problem is, i can't erase the registry keys myself, and programs can't either... combofix says its ok and deleted but nothing changes afterwards.

you guys got more xp than me in this so i'm asking for a advices :)

logs : Otl and extras are in attachments.

gmer log :

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-18 11:27:25

Windows 6.1.7600

Running: bbr0zj51.exe; Driver: C:\Users\BLACKS~1\AppData\Local\Temp\pxldyuog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x8C022CDC]

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x8C022ECE]

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x8C0230D6]

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x8C022982]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C37AF8

INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C37104

INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C373F4

INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C202D8

INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1F898

INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C371DC

INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C37958

INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C376F8

INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C37F2C

INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C381A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C97579 1 Byte [06]

.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CBBF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

.text ntkrnlpa.exe!RtlSidHashLookup + 32C 82CC382C 8 Bytes [DC, 2C, 02, 8C, CE, 2E, 02, ...]

.text ntkrnlpa.exe!RtlSidHashLookup + 364 82CC3864 4 Bytes [D6, 30, 02, 8C]

.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82CC3CB8 4 Bytes [82, 29, 02, 8C]

? System32\Drivers\spla.sys The system cannot find the path specified. !

? System32\Drivers\uffypnmr.sys A device attached to the system is not functioning. !

.text USBPORT.SYS!DllUnload 9163ACA0 5 Bytes JMP 86F9C438

.text aoeecp57.SYS 916A7000 12 Bytes [44, 28, C2, 82, EE, 26, C2, ...]

.text aoeecp57.SYS 916A700D 9 Bytes [07, C2, 82, 48, 2B, C2, 82, ...] {POP ES; RET 0x4882; SUB EAX, EDX; ADD BYTE [EAX], 0x0}

.text aoeecp57.SYS 916A7017 20 Bytes [00, DE, 87, D0, 8B, E6, 85, ...]

.text aoeecp57.SYS 916A702C 149 Bytes [00, 00, 00, 00, D0, 21, C9, ...]

.text aoeecp57.SYS 916A70C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}

.text ...

.text peauth.sys A2011C9D 28 Bytes JMP F9FB137D

.text peauth.sys A2011CC1 28 Bytes JMP F9FB13A1

PAGE peauth.sys A2017E20 101 Bytes [49, 51, 7C, DB, BB, 44, 0C, ...]

PAGE peauth.sys A201802C 102 Bytes [D0, DE, FF, A0, 41, DF, 42, ...]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8BC0C042] \SystemRoot\System32\Drivers\spla.sys

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8BC0C6D6] \SystemRoot\System32\Drivers\spla.sys

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8BC0C800] \SystemRoot\System32\Drivers\spla.sys

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8BC0C13E] \SystemRoot\System32\Drivers\spla.sys

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortNotification] 00147880

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortStallExecution] C25DC033

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortInitialize] 157B805E

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500

IAT \SystemRoot\System32\Drivers\aoeecp57.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Spyware Doctor\pctsSvc.exe[2648] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateThread] [0044BB58] C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)

IAT C:\Program Files\Spyware Doctor\pctsSvc.exe[2648] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [0044BD5C] C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)

IAT C:\Program Files\Spyware Doctor\pctsSvc.exe[2648] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [0044BB58] C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)

IAT C:\Program Files\Spyware Doctor\pctsSvc.exe[2648] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0044BD5C] C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)

IAT C:\Program Files\Spyware Doctor\pctsTray.exe[2780] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateThread] [0044B82C] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)

IAT C:\Program Files\Spyware Doctor\pctsTray.exe[2780] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [0044BA30] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)

IAT C:\Program Files\Spyware Doctor\pctsTray.exe[2780] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [0044B82C] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)

IAT C:\Program Files\Spyware Doctor\pctsTray.exe[2780] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0044BA30] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)

IAT C:\Windows\system32\rundll32.exe[3396] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [750A5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

IAT C:\Windows\system32\rundll32.exe[3396] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [750A5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

IAT C:\Windows\system32\rundll32.exe[3396] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [750A5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

IAT C:\Windows\system32\rundll32.exe[3396] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [750A5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3432] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [750A5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3432] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [750A5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3432] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [750A5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3432] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [750A5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3432] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [750A5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3432] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [750A5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3432] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [750A5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86A4BDE8

Device \FileSystem\Ntfs \Ntfs 866031F8

Device \Driver\volmgr \Device\VolMgrControl 859621F8

Device \Driver\usbohci \Device\USBPDO-0 86FA4500

Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

Device \Driver\NetBT \Device\NetBT_Tcpip_{D2CA37C7-BA30-4C17-9280-2D84366BC115} 86D3E500

Device \Driver\usbohci \Device\USBPDO-1 86FA4500

Device \Driver\usbehci \Device\USBPDO-2 86F7F1F8

Device \Driver\usbohci \Device\USBPDO-3 86FA4500

Device \Driver\usbohci \Device\USBPDO-4 86FA4500

Device \Driver\usbehci \Device\USBPDO-5 86F7F1F8

Device \Driver\usbohci \Device\USBPDO-6 86FA4500

Device \Driver\volmgr \Device\HarddiskVolume1 859621F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume2 859621F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 86BEE1F8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 866001F8

Device \Driver\atapi \Device\Ide\IdePort0 866001F8

Device \Driver\atapi \Device\Ide\IdePort1 866001F8

Device \Driver\atapi \Device\Ide\IdePort2 866001F8

Device \Driver\atapi \Device\Ide\IdePort3 866001F8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-4 866001F8

Device \Driver\cdrom \Device\CdRom1 86BEE1F8

Device \Driver\sptd \Device\3341023901 spla.sys

Device \Driver\NetBT \Device\NetBt_Wins_Export 86D3E500

Device \Driver\PCI_PNP9893 \Device\0000005a spla.sys

Device \Driver\usbohci \Device\USBFDO-0 86FA4500

Device \Driver\usbohci \Device\USBFDO-1 86FA4500

Device \Driver\usbehci \Device\USBFDO-2 86F7F1F8

Device \Driver\usbohci \Device\USBFDO-3 86FA4500

Device \Driver\usbohci \Device\USBFDO-4 86FA4500

Device \Driver\usbehci \Device\USBFDO-5 86F7F1F8

Device \Driver\usbohci \Device\USBFDO-6 86FA4500

Device \Driver\aoeecp57 \Device\Scsi\aoeecp571Port5Path0Target0Lun0 86DE9500

Device \Driver\mv61xx \Device\Scsi\mv61xx1Port0Path0Target14Lun0 866011F8

Device \Driver\mv61xx \Device\Scsi\mv61xx1 866011F8

Device \Driver\aoeecp57 \Device\Scsi\aoeecp571 86DE9500

Device \FileSystem\cdfs \Cdfs 86CE81F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0B 0x74 0x65 0x52 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0A 0xB8 0x61 0xBC ...

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0B 0xEF 0x0B 0x08 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\uffypnmr@Type 1

Reg HKLM\SYSTEM\CurrentControlSet\services\uffypnmr@Start 0

Reg HKLM\SYSTEM\CurrentControlSet\services\uffypnmr@ErrorControl 0

Reg HKLM\SYSTEM\CurrentControlSet\services\uffypnmr@Group Boot Bus Extender

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0B 0x74 0x65 0x52 ...

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0A 0xB8 0x61 0xBC ...

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xAE 0x22 0xD7 0x74 ...

Reg HKLM\SYSTEM\ControlSet002\services\uffypnmr@Type 1

Reg HKLM\SYSTEM\ControlSet002\services\uffypnmr@Start 0

Reg HKLM\SYSTEM\ControlSet002\services\uffypnmr@ErrorControl 0

Reg HKLM\SYSTEM\ControlSet002\services\uffypnmr@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----

Extras.Txt

OTL.Txt

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the runscanbutton.png button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)

Link to post
Share on other sites

thx

description of the problem is in the first post

you can also find Gmer logs in the first post if needed

and when i scan with malwarebytes, it still detect this :

Files Infected:

C:\Windows\system32\Drivers\uffypnmr.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

but cannot clean it

in my registry i can find that uffypnmr as a legacy device and i cannot modify or delete the entries, even in safe mode

OTL.Txt

Extras.Txt

Link to post
Share on other sites

I nthat case lets proceed with another Combofix run (I know you ran it already, but I need to see an updated log). Be sure to delete any old copies first.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Lets see if it will get recreated after this.

One question, your log shows you are connecting to the internet using a Frech proxy server. Can you confirm this?

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

Driver::
uffypnmr

Rootkit::
C:\Windows\system32\Drivers\uffypnmr.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Hello again,

ROOTREPEAL

-------------

We need to check for rootkits with RootRepeal

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Zip Mirrors

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Link to post
Share on other sites

In that case lets take an alternative approach.

Please download OTLPE (filesize 120,9 MB)

  • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
  • Double-click on the OTLPE icon.
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

Link to post
Share on other sites

Something went wrong with that scan. While I look into that, I first need to see another combofix run, but now with CD emulators disabled (which will be done by Defogger).

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

After disabling these drives, please rerun Combofix and post me the log.

Link to post
Share on other sites

Hello again,

That is looking a lot better, well done :)

Lets do some housekeeping now!

P2P WARNING

-------------------

Going over your logs I noticed that you have uTorrent installed.

[*] Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

[*]They are a security risk which can make your computer susceptible to a sm

Link to post
Share on other sites

I am glad to hear that :)

Lets do one last scan to doublecheck.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

Hi blackouzz, that is good news, if you don't have any problem left, you are good to go :D

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :D

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS, GMER (this is a random named file) and OTL.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.