I'm being hunted..

[blacksea]

log

 

bottom log

[blacksea]

1 more

 

here 1 more

[enoskype]

Hi blacksea, also you can use Wikisend for the whole file to upload and give the download link here for the large files which can not be attached in the forum.

 

Cheers.

[blacksea]

Hi enoskype,

 

yes your right, I forgot about that. Thank you!

 

Here is the link superdave > RKU.txt

 

 

Hi blacksea, also you can use Wikisend for the whole file to upload and give the download link here for the large files which can not be attached in the forum.

 

Cheers.

[blacksea]

What also is weird is that every time the system32 is being scanned with RKU while the Avast realtime shield is on, avast finds a malware-gen in that folder, every time an other .exe file. But when I do on-command scanner with avast on system32, it didn't vind anything.

[Superdave]

Are you still getting a lot of hits on your firewall?

 

AVENGER

 

• Download The Avenger by Swandog46 from here.
  
• Unzip/extract it to a folder on your desktop.
  
• Double click on avenger.exe to run The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Click the Execute button.
  
• You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
  
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  
• Please post this log in your next reply.
  

[blacksea]

Yes, as soon as I started my computer, I checked my firewall log and immediately it began again. See attachment.

 

 

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

 

Platform: Windows XP

 

*******************

 

Script file opened successfully.

Script file read successfully.

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

Rootkit scan active.

No rootkits found!

 

 

Completed script processing.

 

*******************

 

Finished! Terminate.

[Superdave]

I'm going to consult my colleagues on this problem.

[blacksea]

Okay, I'll wait and let for now Avast! do his job :razz:

[Superdave]

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

 

Link 1

Link 2

Link 3

 

•Double-click on MBRCheck.exe to run it.

 

•It will open a black window...please do not fix anything (if it gives you an option).

 

•When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.

 

•A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.

•Please copy and paste the contents of that log in your next reply.

[blacksea]

MBRCheck, version 1.2.3

© 2010, AD

 

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x000003fd

 

Kernel Drivers (total 131):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E6000 \WINDOWS\system32\hal.dll

0xBA5A8000 \WINDOWS\system32\KDCOM.DLL

0xBA4B8000 \WINDOWS\system32\BOOTVID.dll

0xB9F78000 ACPI.sys

0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xB9F67000 pci.sys

0xBA0A8000 isapnp.sys

0xBA670000 pciide.sys

0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xBA0B8000 MountMgr.sys

0xB9F48000 ftdisk.sys

0xBA5AC000 dmload.sys

0xB9F22000 dmio.sys

0xBA330000 PartMgr.sys

0xBA0C8000 VolSnap.sys

0xB9F0A000 atapi.sys

0xB9EF9000 SiSRaid2.sys

0xB9EE1000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS

0xBA0D8000 disk.sys

0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xB9EC1000 fltMgr.sys

0xB9EAF000 sr.sys

0xB9E98000 KSecDD.sys

0xB9E0B000 Ntfs.sys

0xB9DF5000 inspect.sys

0xB9DC8000 \WINDOWS\System32\DRIVERS\NDIS.SYS

0xBA338000 \WINDOWS\System32\DRIVERS\TDI.SYS

0xB9D9A000 aswNdis2.sys

0xBA5AE000 aswNdis.sys

0xBA5B0000 SmartDefragDriver.sys

0xB9D80000 Mup.sys

0xBA188000 \SystemRoot\system32\DRIVERS\AmdPPM.sys

0xBA198000 \SystemRoot\system32\DRIVERS\processr.sys

0xB990A000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xB98F6000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xBA1C8000 \SystemRoot\system32\DRIVERS\serial.sys

0xB9CE0000 \SystemRoot\system32\DRIVERS\serenum.sys

0xBA448000 \SystemRoot\system32\DRIVERS\fdc.sys

0xB98E2000 \SystemRoot\system32\DRIVERS\parport.sys

0xBA1D8000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xBA1E8000 \SystemRoot\system32\DRIVERS\redbook.sys

0xB98BF000 \SystemRoot\system32\DRIVERS\ks.sys

0xB988C000 \SystemRoot\system32\drivers\vinyl97.sys

0xB9868000 \SystemRoot\system32\drivers\portcls.sys

0xBA1F8000 \SystemRoot\system32\drivers\drmk.sys

0xBA3B8000 \SystemRoot\system32\DRIVERS\usbohci.sys

0xB9844000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xBA3E8000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xBA208000 \SystemRoot\system32\DRIVERS\imapi.sys

0xBA400000 \SystemRoot\system32\DRIVERS\RTL8139.SYS

0xBA7DF000 \SystemRoot\system32\DRIVERS\audstub.sys

0xBA218000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xB9D5C000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB982D000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xBA228000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xBA238000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xB981C000 \SystemRoot\system32\DRIVERS\psched.sys

0xBA248000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xBA468000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xBA478000 \SystemRoot\system32\DRIVERS\raspti.sys

0xB97EC000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xBA258000 \SystemRoot\system32\DRIVERS\termdd.sys

0xBA370000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xBA380000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xBA632000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB978E000 \SystemRoot\system32\DRIVERS\update.sys

0xB9D3C000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xBA268000 \SystemRoot\system32\DRIVERS\AmdLLD.sys

0xBA278000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xBA2A8000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xBA642000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xBA438000 \SystemRoot\system32\DRIVERS\flpydisk.sys

0xAD66B000 \SystemRoot\System32\DRIVERS\cmdguard.sys

0xBA64C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xBA6CD000 \SystemRoot\System32\Drivers\Null.SYS

0xBA650000 \SystemRoot\System32\Drivers\Beep.SYS

0xBA3C8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xBA3D8000 \SystemRoot\System32\drivers\vga.sys

0xBA654000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xBA658000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xBA3F0000 \SystemRoot\System32\Drivers\Msfs.SYS

0xBA408000 \SystemRoot\System32\Drivers\Npfs.SYS

0xB9CDC000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xAD610000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xAD5B7000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xAD5A0000 \SystemRoot\System32\Drivers\aswFW.SYS

0xBA2D8000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xAD57A000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xBA3D0000 \SystemRoot\System32\DRIVERS\cmdhlp.sys

0xBA2E8000 \SystemRoot\System32\Drivers\aswTdi.SYS

0xAD552000 \SystemRoot\system32\DRIVERS\netbt.sys

0xBA460000 \SystemRoot\System32\Drivers\aswRdr.SYS

0xAD530000 \SystemRoot\System32\drivers\afd.sys

0xBA2F8000 \SystemRoot\system32\DRIVERS\netbios.sys

0xAD50E000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

0xBA378000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

0xAD4E3000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xAD473000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xBA308000 \SystemRoot\System32\Drivers\Fips.SYS

0xAD429000 \SystemRoot\System32\Drivers\aswSP.SYS

0xAD391000 \SystemRoot\System32\Drivers\aswSnx.SYS

0xBA420000 \SystemRoot\System32\Drivers\Aavmker4.SYS

0xBA3E0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS

0xBA4A0000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0xBA148000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xAD369000 \SystemRoot\system32\DRIVERS\hidusb.sys

0xBA158000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0xB9CE4000 \SystemRoot\system32\DRIVERS\mouhid.sys

0xB9D50000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0xBF800000 \SystemRoot\System32\win32k.sys

0xAD41D000 \SystemRoot\System32\drivers\Dxapi.sys

0xBA480000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xBA73A000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\ati2dvag.dll

0xBF065000 \SystemRoot\System32\ati2cqag.dll

0xBF0FE000 \SystemRoot\System32\atikvmag.dll

0xBF182000 \SystemRoot\System32\atiok3x2.dll

0xBF1CD000 \SystemRoot\System32\ati3duag.dll

0xBF572000 \SystemRoot\System32\ativvaxx.dll

0xBF9C8000 \SystemRoot\System32\ATMFD.DLL

0xAAF81000 \SystemRoot\System32\Drivers\aswFsBlk.SYS

0xAAE41000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xAAFE9000 \SystemRoot\system32\DRIVERS\rspndr.sys

0xAACA2000 \SystemRoot\System32\Drivers\aswMon2.SYS

0xAA9BD000 \SystemRoot\system32\drivers\wdmaud.sys

0xAAED9000 \SystemRoot\system32\drivers\sysaudio.sys

0xBA66C000 \SystemRoot\System32\Drivers\ParVdm.SYS

0xA90C9000 \SystemRoot\system32\drivers\kmixer.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

 

Processes (total 42):

0 System Idle Process

4 System

860 C:\WINDOWS\system32\smss.exe

1004 csrss.exe

1212 C:\WINDOWS\system32\winlogon.exe

1304 C:\WINDOWS\system32\services.exe

1332 C:\WINDOWS\system32\lsass.exe

1556 C:\WINDOWS\system32\ati2evxx.exe

1592 C:\WINDOWS\system32\svchost.exe

1716 svchost.exe

1840 C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe

1916 C:\WINDOWS\system32\svchost.exe

448 C:\WINDOWS\system32\ati2evxx.exe

484 C:\Program Files\AVAST Software\Avast\afwServ.exe

848 C:\Program Files\AVAST Software\Avast\AvastSvc.exe

1600 C:\WINDOWS\system32\svchost.exe

468 C:\WINDOWS\system32\spoolsv.exe

680 C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe

1020 C:\WINDOWS\explorer.exe

1536 C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe

2108 C:\Program Files\Java\jre6\bin\jqs.exe

1816 C:\Program Files\AVAST Software\Avast\AvastUI.exe

3152 C:\Program Files\Comodo\COMODO Internet Security\cfp.exe

1540 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

3216 C:\WINDOWS\system32\ctfmon.exe

696 C:\Program Files\Windows Live\Contacts\wlcomm.exe

4076 C:\Program Files\Comodo\Dragon\dragon.exe

3552 C:\Program Files\Comodo\Dragon\dragon.exe

1124 C:\Program Files\Comodo\Dragon\dragon.exe

2524 C:\Program Files\Comodo\Dragon\dragon.exe

2532 C:\Program Files\Comodo\Dragon\dragon.exe

3476 C:\Program Files\Comodo\Dragon\dragon.exe

3828 C:\Program Files\Comodo\Dragon\dragon.exe

1796 C:\Program Files\Comodo\Dragon\dragon.exe

668 C:\Program Files\Comodo\Dragon\dragon.exe

1880 C:\Documents and Settings\Cengi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

3500 C:\Documents and Settings\Cengi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

3288 C:\Documents and Settings\Cengi\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

540 C:\Program Files\Internet Explorer\iexplore.exe

3164 C:\Program Files\Internet Explorer\iexplore.exe

3036 C:\Program Files\Internet Explorer\iexplore.exe

3740 C:\Documents and Settings\Cengi\Bureaublad\MBRCheck.exe

 

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000030`d3cbae00

 

PhysicalDrive0 Model Number: ExcelStorTechnologyJ9250S, Rev: GM2OA52A

 

Size Device Name MBR Status

--------------------------------------------

232 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: F238F1FE114296B6DC7716517DC1DADB3FF3D5C6

 

 

Done!

[Superdave]

Download Kernel Detective: Kernel_Detective

 

Extract the file to your Desktop.

 

Enter the folder and double-click on Kernel Detective.exe to get started.

 

We need four different logs, to be uploaded.

 

Click on Kernel Modifications tab, then click on File > Save Current List, and give it a name. The name should be in *.txt format.

 

Save the log to your Desktop.

 

Do the same for the Drivers tab, System Service Descriptor Table, and the System Service Descriptor Table Shadow.

 

Attach all the logs to your next reply..

[blacksea]

l

 

Since most of the logs are more kb than allowed, I have again uploaded them to wikisend.

 

dave.txt

 

dave1.txt

 

dave2.txt

 

dave3.txt

[Superdave]

Download GMER Rootkit Detector and save it your desktop.

• Unzip (extract) it to your desktop.
  
• Disconnect from Internet and close all running programs.
  
• There is a small chance this application may crash your computer so save any work you have open.
  
• Double-click gmer.exe to run it.
  
• Let the gmer.sys driver to load if asked.
  
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO
  
• Click the Rootkit tab.
  
• Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
  
• Then click the Scan button. Wait for the scan to finish.
  
• Once done, click the Copy button.
  
• This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop.
  
• Add this log to your next reply.
  

.

NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.

[blacksea]

gmer.txt

[Superdave]

Download DeFogger by jpshortstuffand save it to your desktop.

 

* Double click DeFogger.exe to run the tool.

* The application window will appear.

* Click the Disable button to disable your CD Emulation drivers

* Click Yes to continue.

* A 'Finished!' message will appear.

* Click OK.

* DeFogger will now ask to reboot the machine...click OK.

 

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

 

Now please run the GMER scan again as instructed in Reply # 39

Re-enable those drivers after GMER has run.

 

Do not re-enable these drivers until otherwise instructed.

 

To re-enable your Emulation drivers, double click DeFogger to run the tool.

 

* The application window will appear.

* Click the Re-enable button to re-enable your CD Emulation drivers.

* Click Yes to continue.

* A 'Finished!' message will appear.

* Click OK

* DeFogger will now ask to reboot the machine, click OK

 

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

 

Your Emulation drivers are now re-enabled.

[blacksea]

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 02:36 on 21/05/2011 (Cengi)

 

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

 

Checking for services/drivers...

 

 

-=E.O.F=-

 

I did not recieve an error message, but defogger did not ask to reboot my machine. Should I do it my self or?

[Superdave]

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 02:36 on 21/05/2011 (Cengi)

 

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

 

Checking for services/drivers...

 

 

-=E.O.F=-

 

I did not recieve an error message, but defogger did not ask to reboot my machine. Should I do it my self or?

 

You must have misunderstood. You were supposed to disable your CD Emulation drivers using defogger and then run the GMER scan. After the scan has run, you can re-enable the drivers and post the log. Since you have them now disabled, reboot and run the GMER scan.

[blacksea]

No I understood you correctly, but what I meant was, that you said that 'DeFogger will now ask to reboot the machine' while it did not ask me. So and I said that even thought I havent recieved an error, it did not ask me to reboot. So I was only reporting that. But I will now reboot and run the GMER scan again.

[blacksea]

I meant, even though it did not ask me to reboot, I havent recieved an error. Saying it otherwise, then yes it looks like I misunderstood sorry

[blacksea]

gmer2.txt

[blacksea]

gmer2.txt

 

new one

[Superdave]

I'd to try one more scan on your computer.

 

I'd like to scan your machine with ESET OnlineScan

 

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

 

•Please click on the: http://i424.photobucket.com/albums/pp322/digistar/esetOnline.png button.

 

••Select the option YES, I accept the Terms of Use then click on: http://i424.photobucket.com/albums/pp322/digistar/esetStart.png button.

• 
  
  • 
    •When prompted allow the Add-On/Active X to install.
    

•Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.

•Now click on Advanced Settings and select the following:

 

•Scan for potentially unwanted applications

•Scan for potentially unsafe applications

•Enable Anti-Stealth Technology

•Push the Start button.

•The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

 

•When completed the Online Scan will begin automatically.

 

•Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

 

•When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

•Push http://i424.photobucket.com/albums/pp322/digistar/esetFinish.png

•Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

•Copy and paste that log as a reply to this topic.

 

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

[blacksea]

Eset found no threats. There are many other onlinescanners, I can try some of the other AV companies maybe one of them will find some threats?

[Superdave]

I'm convinced that your computer is clean. The only issues are all these hits on your firewall . I did a search of two of the IP addresses in one of your thumbnails with this site and this is what I found:

217.31.57.177= IGnum s.r.o. Praque

92.242.144.10= Barefruit Ltd. UK

192.168.1.254= Unknown

217.31.57.180= Ignum s.r.o.Praque

 

You can also check some of them with that site and see what you turn. You said that you have the Avast Firewall but I noticed that you also had Comodo on your computer. Why not do a little test. Disable the Avast firewall and enable the Comodo one and see what happens. Could you also run RKU and post the log on Wikisend. I can no longer see that file.