Author Topic: Security tool malware (Read 13510 times)

essexboy · « **Reply #15 on:** October 26, 2009, 09:10:00 PM »

this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

We Need to check for Rootkits with RootRepeal
[list=1]

Download RootRepeal from the following location and save it to your desktop.

Zip Mirrors (Recommended)
Rar Mirrors - Only if you know what a RAR is and can extract it.

Extract RootRepeal.exe from the archive.
Open on your desktop.
Click the tab.
Click the button.
Check all seven boxes:
Push Ok
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

ineedhelp09 · « **Reply #16 on:** October 29, 2009, 01:31:50 PM »

Running from: C:\removesecuirtytool\Win32kDiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

ineedhelp09 · « **Reply #17 on:** October 29, 2009, 02:34:09 PM »

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2009/10/29 08:33
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xF83A2000   Size: 98304   File Visible: No   Signed: -
Status: -

Name:
Image Path:
Address: 0x00000000   Size: 0   File Visible: No   Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE26F000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF89BD000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF8A09000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEC4A5000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\owner\local settings\temp\uac8c31.tmp
Status: Allocation size mismatch (API: 81920, Raw: 0)

Path: c:\documents and settings\guest\local settings\temporary internet files\content.ie5\wvqpuvb2\ma[1].jpg
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M6ZBEIYP\s1014414466_3932[1].jpg
Status: Could not get file information (Error 0xc0000008)

SSDT
-------------------
#: 025   Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xee2b3618

#: 041   Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xee2b34d4

#: 045   Function Name: NtCreatePagingFile
Status: Hooked by "d347bus.sys" at address 0xf8419a20

#: 065   Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xee2b39b2

#: 068   Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xee2b30ac

#: 071   Function Name: NtEnumerateKey
Status: Hooked by "d347bus.sys" at address 0xf841a2a8

#: 073   Function Name: NtEnumerateValueKey
Status: Hooked by "d347bus.sys" at address 0xf8425910

#: 119   Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xee2b35ae

#: 122   Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xee2b2fec

#: 128   Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xee2b3050

#: 160   Function Name: NtQueryKey
Status: Hooked by "d347bus.sys" at address 0xf841a2c8

#: 177   Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xee2b36ce

#: 204   Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xee2b368e

#: 241   Function Name: NtSetSystemPowerState
Status: Hooked by "d347bus.sys" at address 0xf84250b0

#: 247   Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xee2b380e

ineedhelp09 · « **Reply #18 on:** October 29, 2009, 02:38:41 PM »

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System   Address: 0x82d9ee78   Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System   Address: 0x82858c00   Size: 11

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System   Address: 0x82a5a428   Size: 99

ineedhelp09 · « **Reply #19 on:** October 29, 2009, 02:39:12 PM »

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System   Address: 0x82a5a428   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System   Address: 0x82988f00   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE_NAMED_PIPE]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CLOSE]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_READ]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_WRITE]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_INFORMATION]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_INFORMATION]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_EA]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_EA]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DIRECTORY_CONTROL]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_LOCK_CONTROL]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CLEANUP]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE_MAILSLOT]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_SECURITY]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_SECURITY]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_POWER]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DEVICE_CHANGE]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_QUOTA]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_QUOTA]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_PNP]
Process: System   Address: 0x82a61a88   Size: 99

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System   Address: 0x82a370d0   Size: 11

Object: Hidden Code [Driver: InCDfs, IRP_MJ_READ]
Process: System   Address: 0x82a98fb0   Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System   Address: 0x82bc6360   Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System   Address: 0x82a200d0   Size: 11

Object: Hidden Code [Driver: NpfsЅం扏楄, IRP_MJ_READ]
Process: System   Address: 0x829c3228   Size: 11

Object: Hidden Code [Driver: Msfsȅఆ剒敬ఈ, IRP_MJ_READ]
Process: System   Address: 0x82a6ab58   Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System   Address: 0x82aa5c10   Size: 11

Object: Hidden Code [Driver: CdfsЅ瑎てЁః瑎て, IRP_MJ_READ]
Process: System   Address: 0x828913c8   Size: 11

Object: Hidden Code [Driver: InCDrec, IRP_MJ_READ]
Process: System   Address: 0x82a6af10   Size: 11

==EOF==

ineedhelp09 · « **Reply #20 on:** October 31, 2009, 04:56:14 PM »

i was able to temporarily enable task manager. i kill a process called winupdate.exe and the red circle with x from bottom right bar went away. the thing is i have to do this every time after restart though. does this help in devising permanant solution?

ineedhelp09 · « **Reply #21 on:** November 06, 2009, 04:52:46 AM »

SOS

something news came up.

i got this from using firefox broswer:

Sorry. Service is temporary unavailable!

The server is currently unable to handle the request due to a temporary overloading or maintenance of the server. The implication is that this is a temporary condition which will be alleviated after some delay.

i had to try web address several times sometimes to get it to work for certain sites. you think those damn security tool malware bastards trying other means to mess me up after i found a way to eliminate their malware running in my desktop background?

anyone have any ideas on how to solve this new problem?

ineedhelp09 · « **Reply #22 on:** November 06, 2009, 05:35:04 AM »

damn, the problem worst than i though.

google search engine wouldn't let me search:

We're sorry...
... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now.

need urgent help to resolve this problem!

ineedhelp09 · « **Reply #23 on:** November 07, 2009, 05:56:06 AM »

some new malware snuck onto my pc. its called something like anti virus plus or something. it's desktop icon links to system32 folder, a file called rundll32. thats also the name under task manager.

ineedhelp09 · « **Reply #24 on:** November 07, 2009, 06:07:40 AM »

about the search engine issue, it appeared that i had to connect to use search engine right. but i didn't have to do that before. don't know if this is related to security tool.

there something else, sometimes, i internet explorer browser pop out myriad number of windows and i had to close them all as a group to get rid of them. anyone have a temporary/permanent solution to this?

Author Topic: Security tool malware (Read 13510 times)

essexboy

Re: Security tool malware

ineedhelp09

Re: Security tool malware

ineedhelp09

Re: Security tool malware

ineedhelp09

Re: Security tool malware

ineedhelp09

Re: Security tool malware

ineedhelp09

Re: Security tool malware

ineedhelp09

Re: Security tool malware

ineedhelp09

Re: Security tool malware

ineedhelp09

Re: Security tool malware

ineedhelp09

Re: Security tool malware