Results 1 to 10 of 68

Thread: I got a bug...

Hybrid View

  1. 02-04-2009, 12:56 PM #1
    sandpaper600
    sandpaper600 is offline Member
    Join Date
    Dec 2006
    Age
    66
    Posts
    61
    Here is the gmer log...

    GMER 1.0.14.14536 - http://www.gmer.net
    Rootkit scan 2009-02-04 11:49:32
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.14 ----

    SSDT spmc.sys ZwCreateKey [0xB9EA80E0]
    SSDT spmc.sys ZwEnumerateKey [0xB9EC6CA2]
    SSDT spmc.sys ZwEnumerateValueKey [0xB9EC7030]
    SSDT spmc.sys ZwOpenKey [0xB9EA80C0]
    SSDT spmc.sys ZwQueryKey [0xB9EC7108]
    SSDT spmc.sys ZwQueryValueKey [0xB9EC6F88]
    SSDT spmc.sys ZwSetValueKey [0xB9EC719A]

    INT 0x62 ? 8AEC6BF8
    INT 0x63 ? 8AE52BF8
    INT 0x73 ? 8AE52BF8
    INT 0x82 ? 8AEC6BF8
    INT 0xA4 ? 8AA78F00
    INT 0xB4 ? 8AE55BF8

    ---- Kernel code sections - GMER 1.0.14 ----

    ? spmc.sys The system cannot find the file specified. !
    .text USBPORT.SYS!DllUnload B8BDF8AC 5 Bytes JMP 8AA784E0
    .text a6t5q9xy.SYS B8AC0386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
    .text a6t5q9xy.SYS B8AC03AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text a6t5q9xy.SYS B8AC03C4 3 Bytes [ 00, 70, 02 ]
    .text a6t5q9xy.SYS B8AC03C9 1 Byte [ 2E ]
    .text a6t5q9xy.SYS B8AC03CB 9 Bytes [ 00, 00, 5C, 02, 00, 00, 00, ... ]
    .text ...

    ---- Kernel IAT/EAT - GMER 1.0.14 ----

    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spmc.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spmc.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spmc.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spmc.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spmc.sys
    IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
    IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
    IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!KeGetCurrentIrql] CB033043
    IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!KfRaiseIrql] 0673C13B
    IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!KfLowerIrql] C13B0003
    IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
    IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
    IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
    IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
    IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
    IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!READ_PORT_USHORT] 83660000
    IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
    IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
    IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
    IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

    ---- Devices - GMER 1.0.14 ----

    Device \FileSystem\Ntfs \Ntfs 8AEC41F8

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)

    Device \Driver\usbohci \Device\USBPDO-0 8AA7C500
    Device \Driver\usbehci \Device\USBPDO-1 8AAAB500
    Device \Driver\PCI_PNP9046 \Device\00000054 spmc.sys

    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

    Device \Driver\prodrv06 \Device\ProDrv06 E1F73C30
    Device \Driver\Ftdisk \Device\HarddiskVolume1 8AE531F8
    Device \Driver\Cdrom \Device\CdRom0 8AA7E500
    Device \Driver\Ftdisk \Device\HarddiskVolume2 8AE531F8
    Device \Driver\Cdrom \Device\CdRom1 8AA7E500
    Device \Driver\Ftdisk \Device\HarddiskVolume3 8AE531F8
    Device \Driver\Cdrom \Device\CdRom2 8AA7E500
    Device \Driver\Cdrom \Device\CdRom3 8AA7E500
    Device \Driver\Cdrom \Device\CdRom4 8AA7E500
    Device \Driver\prohlp02 \Device\ProHlp02 E1842CC0
    Device \Driver\Cdrom \Device\CdRom5 8AA7E500
    Device \Driver\NetBT \Device\NetBt_Wins_Export 8AA79500
    Device \Driver\nvata \Device\00000078 8AE521F8
    Device \Driver\USBSTOR \Device\00000092 8A9751F8
    Device \Driver\NetBT \Device\NetbiosSmb 8AA79500
    Device \Driver\USBSTOR \Device\00000088 8A9751F8

    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

    Device \Driver\usbohci \Device\USBFDO-0 8AA7C500
    Device \Driver\nvata \Device\NvAta0 8AE521F8
    Device \Driver\usbehci \Device\USBFDO-1 8AAAB500
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AB101F8
    Device \Driver\nvata \Device\NvAta1 8AE521F8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AB101F8
    Device \Driver\Ftdisk \Device\FtControl 8AE531F8
    Device \Driver\sptd \Device\3259149046 spmc.sys
    Device \Driver\a6t5q9xy \Device\Scsi\a6t5q9xy1Port5Path0Target0Lun0 8AA76500
    Device \Driver\a6t5q9xy \Device\Scsi\a6t5q9xy1 8AA76500
    Device \Driver\a6t5q9xy \Device\Scsi\a6t5q9xy1Port5Path0Target2Lun0 8AA76500
    Device \Driver\JRAID \Device\Scsi\JRAID1 8AEC51F8
    Device \Driver\a6t5q9xy \Device\Scsi\a6t5q9xy1Port5Path0Target3Lun0 8AA76500
    Device \Driver\a6t5q9xy \Device\Scsi\a6t5q9xy1Port5Path0Target1Lun0 8AA76500
    Device \FileSystem\Cdfs \Cdfs 8A998500

    ---- Services - GMER 1.0.14 ----

    Service system32\drivers\gaopdxoqodsril.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.14 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv. sys@start 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv. sys@type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv. sys@imagepath \systemroot\system32\drivers\gaopdxoqodsril.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv. sys@group file system
    Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv. sys@userdata -1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv. sys\modules
    Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv. sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxo qodsril.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv. sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxmtebukpb. dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@khjeh 0x37 0x6A 0x09 0x6E ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x78 0x74 0xDE 0xAC ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khje h 0x9D 0x04 0xB1 0x3F ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf41
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khje h 0x80 0xF9 0xD9 0x71 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf42
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khje h 0xEE 0x39 0x74 0xE4 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf43
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khje h 0xEE 0x39 0x74 0xE4 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@ start 1
    Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@ type 1
    Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@ imagepath \systemroot\system32\drivers\gaopdxoqodsril.sys
    Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@ group file system
    Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@ userdata -1
    Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\ modules
    Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\ modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxo qodsril.sys
    Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\ modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxmtebukpb. dll
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@khjeh 0x37 0x6A 0x09 0x6E ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001@khjeh 0x78 0x74 0xDE 0xAC ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9D 0x04 0xB1 0x3F ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf41
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x80 0xF9 0xD9 0x71 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf42
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xEE 0x39 0x74 0xE4 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf43
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xEE 0x39 0x74 0xE4 ...
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs zvnmsi.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

    ---- EOF - GMER 1.0.14 ----

    I gotta go out for a couple of hours. I'll check back this afternoon.
    Reply With Quote Reply With Quote
  2. 02-04-2009, 01:13 PM #2
    jholland1964's Avatar
    jholland1964
    jholland1964 is offline Administrator
    Join Date
    Aug 2006
    Location
    The Middle
    Age
    80
    Posts
    4,079
    Download UnHackMe and save it to the desktop.
    Open the compressed folder on your desktop named unhackme.zip and double click unhackme250.exe to begin the installation. When asked if you wish to continue, click Yes.
    Select all the default installation options by clicking Next for every step in the installation. When prompted, choose Yes to create a directory.
    Select the Check tab at the top of the window and then click on the Check Me Now! button. UnHackMe will begin scanning your operating system for rootkits.
    When scan is complete it should show what it has found.
    Click on the key that you want to remove

    After selecting the key, click on the Delete Key button. A window will appear asking you to verify the deletion.
    Click "Yes" to delete the infected key. Do this for all the infected keys in the list. When you're finished deleting all the keys in the list, you may close down UnHackMe.
    Reply With Quote Reply With Quote
  3. 02-04-2009, 04:35 PM #3
    sandpaper600
    sandpaper600 is offline Member
    Join Date
    Dec 2006
    Age
    66
    Posts
    61
    I ran unhackme. It found 14 things. only about 5 of them I deleted. Things like Nvidea network manager and ClockX I left on. I saw the gaopdxserv.sys rootkit and deleted it.

    I can browse my drives now, but I still get the dialog box "Due to an unidentified problem, Windows cannot display Windows Firewall settings." when I try to set the firewall.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules