0

Greetings daniweb. I've encountered a few problems on my PC and found similar problem solutions on this site, therefore I would like to ask for your assistance.

Recently something has infected my computer. Symptoms:
1)I can't visit ANY antivirus webpages and some completely unrelated sites.

2)All software updates are disabled and unable to launch

3)Windows explorer is unable to save settings, therefore I can't even select "view hidden files and folders". After I press "OK" it just sets back to its previous settings.

I was unable to use ANY of the online scanners due to the problems mentioned above.

Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:31 AM, on 7/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
D:\Games\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\xampp\mysql\bin\mysqld.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Garena\Garena.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garena.com/portal/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 89.234.27.15:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: My_AutoWarkey_Script.lnk = D:\Games\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mysql - Unknown owner - D:\xampp\mysql\bin\mysqld.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4293 bytes

Uninstall list:

Quake Live Mozilla Plugin
Realtek AC'97 Audio
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
Skype™ 4.0
Steam(TM)
Suite Shared Configuration CS4
TeamSpeak 2 RC2
TmNationsForever
Update for Windows XP (KB898461)
Update for Windows XP (KB955839)
Ventrilo Client
VentriloMIX
VLC media player 0.9.9
Warkeys 1.13.1.0b
Winamp
Windows Installer 3.1 (KB893803)
Windows Live installer
Windows Media Format Runtime
WinRAR archiver
World of Warcraft
XAMPP 1.7.0


MalwareBytes’ Anti-Malware full scan is taking quite a while, I'll post it as soon as it finishes.

Thanks in advance, JLF.

4
Contributors
37
Replies
38
Views
8 Years
Discussion Span
Last Post by dantheavgman
0

Thank you for your replies, but I'm afraid that won't help me.
The download links in the thread you directed me to are either dead or have expired software. I'm unable to update it due to my problems, nor can I download the free trial. It doesn't allow me to use the "drweb cureit" as the "licence is expired".

Any other ideas?

0

Thank you for your replies, but I'm afraid that won't help me.
The download links in the thread you directed me to are either dead or have expired software. I'm unable to update it due to my problems, nor can I download the free trial. It doesn't allow me to use the "drweb cureit" as the "licence is expired".

Any other ideas?

hmmmm
try this one out
and continue with that thread..

i had the same problem as you, but i had my OS re installed...

0

Well, that's pretty much what I'm doing already (following the steps in the "read first" thread).

Also, you seem to have directed me to the same page as before? Because your daniweb thread doesn't seem to contain any instructions for fixing it.

In addition, from what I've seen, a problem like this can't just have the identical fixing method as the links you gave me, so I would like to receive some direct instructions for my case.

I could reinstall my OS too, but I would really prefer to find a cure for this.

0

Malware check is finished, this doesn't look good:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

7/2/2009 8:14:29 PM
malwarelog.txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 208349
Time elapsed: 2 hour(s), 40 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013 (Backdoor.IRCBot) -> No action taken.

Files Infected:
c:\RESTORE\s-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Backdoor.IRCBot) -> No action taken.

__________________________________________________________

Edit:
It seems this has fixed my windows explorer problem. Unfortunately, the website block and update problems still remain. Thank you in advance.

0

nopes..
i wanted you to read the thread no #5 of the link i forwarded the second time....

0

As I said, I have already read the thread .. And I followed all the steps. I posted the logs.

0

As I said, I have already read the thread .. And I followed all the steps. I posted the logs.

all right............
hopefully, somebody expert would guide you soon .....

0

Hello. It's been a few days the last post in this thread. I would like to point out the problem I'm dealing with is still there. Also, it seems my machine has slowed down in the last 2 days. If anyone could take a look into this or give me any hints, I would be very grateful.

0

According to the MBA-M log you posted, you took no action on what was found.
Run MBA-M again and update it. If you cannot update it through the internal updater, you can get the update here; http://www.gt500.org/malwarebytes/database.jsp

When you have done that, do a full scan and remove what is found.
Reboot the pc and post the MBA-M log showing that what was found has been removed.
Post a new hijackthis log.

0

I did successfully delete the infections, I guess I just failed to copy that part. And as I said, it fixed my windows explorer problem. Anyway, I'll try to do it again as you said.

Update:
Your MBA-M update solution didn't work.
This is the log which says I deleted those infections 6 days ago.

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

7/2/2009 8:18:42 PM
mbam-log-2009-07-02 (20-18-42).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 208349
Time elapsed: 2 hour(s), 40 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013 (Backdoor.IRCBot) -> Quarantined and deleted successfully.

Files Infected:
c:\RESTORE\s-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Backdoor.IRCBot) -> Quarantined and deleted successfully.

This is the log which says I deleted those infections 6 days ago.

0

And here's the new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:56 AM, on 7/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\xampp\mysql\bin\mysqld.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\Games\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
D:\Program Files\mIRC\mirc.exe
D:\Program Files\Winamp\winamp.exe
D:\Program Files\Garena\Garena.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garena.com/portal/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 89.234.27.15:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: My_AutoWarkey_Script.lnk = D:\Games\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mysql - Unknown owner - D:\xampp\mysql\bin\mysqld.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4126 bytes

0

Your MBA-M update solution didn't work.

What do you mean it did not work? Which part did not work? The latest database version from the link I supplied is 2353. Just download it and acivate (double click to run) it with MBA-M closed and it should self install.

0

This is the log which says I deleted those infections 6 days ago.

Then that is the log you should have posted :).

0

This is the screen I'm getting
http://i27.tinypic.com/2q15ow7.jpg
The download link on the left doesnt work. I'm probably not smart enough to realise what else I should do there.
Anyway, are the logs I've posted now enough?

0

The link is not visible to you for some reason.

Can you try a different browser to download it?
Hijackthis is not revealing anything, so updating MBA-M would be the next logical step, seeing how it has already found objects with it's outdated database.

Attachments Clipboard02.jpg 51.26 KB
0

Here's the new MBA-M logfile

Malwarebytes' Anti-Malware 1.38
Database version: 2353
Windows 5.1.2600 Service Pack 2

7/10/2009 6:08:33 AM
mbam-log-2009-07-10 (06-08-33).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 213344
Time elapsed: 3 hour(s), 17 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

0

Ok, not much there but the site has not uploaded the latest MBA-M update.
Try the following and let me know if there are any changes;

Download Dial-a-Fix and run it. Select the 'Check all' (green arrow) and then hit 'GO.'
Reboot when done and see how things are now.

0

hmmm had same issue at work :)

i believe its a rootkit stopping you conencting to mbam servers

can you download the following and post the logs here :D

Download the application from http://gmer.net/gmer.zip
Save the "gmer.zip" file to your hard-drive and unpack it
(double-click on it and select where to extract the files).
Rename the "gmer.exe" file to something else (e.g. "remg.exe") and
run it.
Make sure all the settings on the right side are selected.
Press the "Scan" button and wait for the scan to finish
Click on the "Save ..." button and save the scan log

Also can you try rootpeal http://ad13.geekstogo.com/RootRepeal.rar

Save it open it up scan drivers and services also if possible scan for stealth objects save the log and post your findings on here :)

Thanks

Daniel

AVG Technical Support

0

Crunchie, unfortunately Dial-A-Fix didn't help. I will now try the anti-rootkit software as it does appear to have a rootkit.

0

I've finished the gmer.exe scan. It prompted me twice about "Warning! Gmer has found a ROOTKIT in your system".
Here's the log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-10 17:45:55
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT spyo.sys ZwCreateKey [0xF77430E0]
SSDT spyo.sys ZwEnumerateKey [0xF7761CA2]
SSDT spyo.sys ZwEnumerateValueKey [0xF7762030]
SSDT spyo.sys ZwOpenKey [0xF77430C0]
SSDT spyo.sys ZwQueryKey [0xF7762108]
SSDT spyo.sys ZwQueryValueKey [0xF7761F88]
SSDT spyo.sys ZwSetValueKey [0xF776219A]

INT 0x62 ? 86768BF8
INT 0x63 ? 8663BF00
INT 0x82 ? 86768BF8
INT 0x83 ? 8663BF00
INT 0xA4 ? 8663BF00
INT 0xB4 ? 8663BF00

---- Kernel code sections - GMER 1.0.15 ----

? spyo.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F6E4362C 5 Bytes JMP 8663B4E0
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 F68DC4D0 48 Bytes [90, 98, E6, FB, 2C, FA, 5E, ...]
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[904] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 01BA9DB4
.text C:\WINDOWS\System32\svchost.exe[904] NETAPI32.dll!NetpwPathCanonicalize 5B86A101 5 Bytes JMP 01BA9D54
.text C:\WINDOWS\system32\svchost.exe[1008] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 007B9DB4
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1492] kernel32.dll!SetUnhandledExceptionFilter 7C810386 4 Bytes [C2, 04, 00, 00]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 867DA2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7774C4C] spyo.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7774CA0] spyo.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7744040] spyo.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F774413C] spyo.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F77440BE] spyo.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F77447FC] spyo.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F77446D2] spyo.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8663B5E0
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7754048] spyo.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 867671F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fastfat \FatCdrom 865D2500
Device \Driver\usbuhci \Device\USBPDO-0 865C51F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 867D81F8
Device \Driver\dmio \Device\DmControl\DmConfig 867D81F8
Device \Driver\dmio \Device\DmControl\DmPnP 867D81F8
Device \Driver\dmio \Device\DmControl\DmInfo 867D81F8
Device \Driver\usbuhci \Device\USBPDO-1 865C51F8
Device \Driver\usbuhci \Device\USBPDO-2 865C51F8
Device \Driver\PCI_PNP2050 \Device\00000046 spyo.sys
Device \Driver\usbuhci \Device\USBPDO-3 865C51F8
Device \Driver\usbehci \Device\USBPDO-4 865971F8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \Driver\Ftdisk \Device\HarddiskVolume1 867691F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 867691F8
Device \Driver\Cdrom \Device\CdRom0 86520500
Device \Driver\Cdrom \Device\CdRom1 86520500
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 867681F8
Device \Driver\atapi \Device\Ide\IdePort0 867681F8
Device \Driver\atapi \Device\Ide\IdePort1 867681F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 867681F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8641C500
Device \Driver\NetBT \Device\NetbiosSmb 8641C500
Device \Driver\NetBT \Device\NetBT_Tcpip_{208F5980-8AAA-4140-B9B2-619F7AAADAF3} 8641C500
Device \Driver\usbuhci \Device\USBFDO-0 865C51F8
Device \Driver\usbuhci \Device\USBFDO-1 865C51F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 864A2500
Device \Driver\usbuhci \Device\USBFDO-2 865C51F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 864A2500
Device \Driver\usbuhci \Device\USBFDO-3 865C51F8
Device \Driver\usbehci \Device\USBFDO-4 865971F8
Device \Driver\Ftdisk \Device\FtControl 867691F8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 864BE500
Device \Driver\dtscsi \Device\Scsi\dtscsi1 864BE500
Device \FileSystem\Fastfat \Fat 865D2500

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs 865D1500

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] tgmvvk <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x64 0xCA 0x05 0xDC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x60 0x07 0x60 0xB1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x00 0x15 0xDB 0x22 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk@DisplayName Microsoft Windows
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk@Description Provides launch functionality for DCOM services.
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk\Parameters@ServiceDll C:\WINDOWS\system32\gylbcpo.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x64 0xCA 0x05 0xDC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x60 0x07 0x60 0xB1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x00 0x15 0xDB 0x22 ...
Reg HKLM\SYSTEM\ControlSet002\Services\tgmvvk@DisplayName Microsoft Windows
Reg HKLM\SYSTEM\ControlSet002\Services\tgmvvk@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\tgmvvk@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\tgmvvk@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\tgmvvk@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\tgmvvk@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\tgmvvk@Description Provides launch functionality for DCOM services.
Reg HKLM\SYSTEM\ControlSet002\Services\tgmvvk\Parameters
Reg HKLM\SYSTEM\ControlSet002\Services\tgmvvk\Parameters@ServiceDll C:\WINDOWS\system32\gylbcpo.dll

---- EOF - GMER 1.0.15 ----

0

HI Buddy , Yeah thought it was a rookit nasty little pest

Run gmer again when it finds the rootkit in red right click and click delete :)

then reboot :)

should solve your issue

Thanks
Daniel

AVG Technical support

0

if the issue persist we might need to remove the registry keys so just disable service and delete the following keys

Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk@DisplayName Microsoft Windows
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk@Description Provides launch functionality for DCOM services.
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\tgmvvk
\Parameters@ServiceDll C:\WINDOWS\system32\gylbcpo.dll


Please be aware you will need to set permissiosn for these keys so just ass "everyone" give full permission on each subkey and delete and reboot :D

0

Ok that was fast! Gonna do it now.

Update:
It worked! I can visit antivirus sites again. Thank you very much.

BUT the update problem still persists. I can't update any software at all. Programs CAN access internet, but the update part doesn't work.. And not only on antivirus software.

0

Hi there,

Run gmer again does it find anything ?

like a service again ?

if so delete the service and delete the reg keys as per my previous thread :)

0

Well, I have already deleted the service, which is why I can visit antivirus sites now. I'll try to do the registry thingy now

0

hmm.. Oddly enough, the registry keys you've indicated aren't showing up in the scan anymore. Is it possibly because I've deleted the rootkit process?

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.