rootkit.agent infection

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-23 18:28:15
Windows 6.0.6002 Service Pack 2
Running: 1wsqdvkk.exe; Driver: C:\Users\SLEEPY~1\AppData\Local\Temp\kwtdapog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8A406340, 0x3E9407, 0xE8000020]
? C:\ComboFix\catchme.sys The system cannot find the file specified. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\RRbackups\common 0 bytes
File C:\RRbackups\common\bmgrmode.dat 29 bytes
File C:\RRbackups\common\css.dat 8192 bytes
File C:\RRbackups\common\hints.dat 8192 bytes
File C:\RRbackups\common\mnd.dat 8192 bytes
File C:\RRbackups\common\regcerts.dat 8192 bytes
File C:\RRbackups\common\restore.log 110 bytes
File C:\RRbackups\common\rr.log 126511 bytes
File C:\RRbackups\common\rr_bcdenum.dat 3572 bytes
File C:\RRbackups\common\SAM 65536 bytes
File C:\RRbackups\common\secpolicy.dat 24576 bytes
File C:\RRbackups\common\settings.dat 32768 bytes
File C:\RRbackups\common\system.dat 12288 bytes
File C:\RRbackups\common\tvtcmn.dat 8192 bytes
File C:\RRbackups\common\tvtns.bin 23 bytes
File C:\RRbackups\common\usersids.dat 16640 bytes
File C:\RRbackups\Documents and Settings 0 bytes
File C:\RRbackups\Documents and Settings\Administrator 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2849236651-842032116-1033965791-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2849236651-842032116-1033965791-500\a18ca4003deb042bbee7a40f15e1970b_99fd3083-5d6e-4542-a832-403d0623cc62 54 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500\95da33f4-6655-4faf-86fe-5159865c990d 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-500\b411b1f8-7db1-4688-875d-feea670a126f 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Default 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500\95da33f4-6655-4faf-86fe-5159865c990d 388 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500\95da33f4-6655-4faf-86fe-5159865c990d 388 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Lenovo\Client Security Solution\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2849236651-842032116-1033965791-1005 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2849236651-842032116-1033965791-1005\62a45886e06c7d046ea8b819bec0598a_99fd3083-5d6e-4542-a832-403d0623cc62 45 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2849236651-842032116-1033965791-1005\6b29ae44e85efac3c72ff4d1865d73f1_99fd3083-5d6e-4542-a832-403d0623cc62 53 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2849236651-842032116-1033965791-1005\83aa4cc77f591dfc2374580bbd95f6ba_99fd3083-5d6e-4542-a832-403d0623cc62 45 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2849236651-842032116-1033965791-1005\8f71098770f72c7a67cd8f1151619865_99fd3083-5d6e-4542-a832-403d0623cc62 54 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500\95da33f4-6655-4faf-86fe-5159865c990d 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2152478756-3922319563-605102323-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\1b47500c-81dc-4732-ad3b-7bbe03237bb2 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\3e3e099c-9ca4-4819-a8db-60c6298c3e29 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\4293a67e-25da-4d26-8cbf-ff2c9310c4fc 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\42d2eab5-c70d-4c8a-9c10-3b384d010470 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\68a1fc59-b1ba-47ce-aae2-e9a6e5f6da5e 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\9d816738-2e3c-4ad2-9819-05ab87aa4005 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\d2229779-93ee-4d12-9548-3c865184c37d 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\f3956a03-a6d3-4b11-ad2f-3b31c3935da4 388 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\Protect\S-1-5-21-2849236651-842032116-1033965791-1005\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Sleepy_Dragon\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\ProgramData 0 bytes
File C:\RRbackups\ProgramData\Lenovo 0 bytes
File C:\RRbackups\ProgramData\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\ProgramData\Lenovo\Client Security Solution\cspContainer.dat 332 bytes
File C:\RRbackups\ProgramData\Microsoft 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_99fd3083-5d6e-4542-a832-403d0623cc62 52 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\62a45886e06c7d046ea8b819bec0598a_99fd3083-5d6e-4542-a832-403d0623cc62 45 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_99fd3083-5d6e-4542-a832-403d0623cc62 47 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_99fd3083-5d6e-4542-a832-403d0623cc62 54 bytes
File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_99fd3083-5d6e-4542-a832-403d0623cc62 893 bytes

---- EOF - GMER 1.0.15 ----

Actually looking back, I saw that file but didn't list it for deletion. MBAM should have killed it, and it shouldn't come back this time.

Run another scan, see if it keeps showing up.

All clean! Thank you!

So at the moment, I've still got CD emulation disabled via defogger, and I've deleted all of the anti-spyware, anti-virus and malware programs I'd dl
d, except for MBAM.

Which programs would be best to reacquire, and when can I have defogger enable CD emulation, if at all? Anything else I should do?

Thank you,
Pat

You can turn the emulation drivers back on now.

Ok, done. Thank you!

Last question: which antivirus/spyware/malware programs would be best to download to keep running in the background?

Thank you,
Pat

You aren't running Anti Virus Software

Please install Avira antivirus otherwise you won't be protected.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

MBAM is also a good program to keep.

Hello:

I am having trouble with Antivir. Seems to be installed correctly, but whenever I attempt to run a full scan, it hangs at the 29% mark while reading files. I've left it alone for two hours, but no go. Then I have to unplug my PC in order to reboot twice to get my PC to work again, because the first reboot hangs too.

What should I be looking for to fix this?

Pat

What file does it get stuck off?

I am not sure, it's just a series of numbers and letters in curly brackets.

Should I rerun it and note the name? (I may not be able to get the entire file name, when it sticks like that I can't stretch the windows wider to see the name)

Pat

Yes, please note me the name.

Hello:

I just did two scans, with slightly different results.

The first, I had Opera running in the background, and when it got to the following file, my PC crashed:
c:\System Volume Information\{21a0b47f-09fd-11df-9a27-0015055d02ca}{3808876b-c176-4e48-b7ae-04046e6cc752}

The second scan, I had nothing running in the background, and was able to stop the scan without crashing when it hung:
c:\System Volume Information\{0a2e605a-0ac3-11df-9638-0015055d02ca}{3808876b-c176-4e48-b7ae-04046e6cc752}

Thank you,
Pat

Just two system restore points.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Ok, done. That took care of the hanging and crashing. Now there's just this one bit which showed up at the end of AntiVir's log:

Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.


End of the scan: Tuesday, January 26, 2010 22:13
Used time: 51:16 Minute(s)

The scan has been done completely.

24894 Scanned directories
381962 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
381961 Files not concerned
12878 Archives were scanned
1 Warnings
1 Notes
36529 Objects were scanned with rootkit scan
0 hȋdden objects were found

Is it something of concern?

Pat

No, the locked files are Windows files and locked for a reason.

Alright then! My PC is clean and happy! Thank you very much for your assistance. My donation is on its way.

Best wishes,
Pat