Solved

Help reading GMER log - am I still infected

Posted on 2010-09-24
7
1,435 Views
Last Modified: 2013-11-22
Hello,
I got whacked Monday with a fake Microsoft Security Essentials.  While attempting to clean it I got hit with what Symantec calls "Boot.Tidserv" - little bugger infected my MBR - I removed it with TDSSKiller.exe from Kaspersky which is a stand alone tools created to clean this infection.  Of course I had multiple spyware / viral problems - I used Malwarebytes, SuperAntispyware, and Spybot multiple times to clean up everything.  Additionally I have run Panda's online scanner, Eset Online scanner, Blacklight and now GMER.  Any infections that were detected I researched their damage and removed or fixed what I found... meaning added registry entries, directories etc..

I feel I'm at the final stage of clean up, however, I don't know how to interpret GMER's output / log.  Below is the log after I ran GMER - would someone please take a look and tell me if it look like I'm NOT still infected by a rootkit.  (Nothing came up in RED in GMER.)

Thank you

GMER LOG

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-23 16:11:14
Windows 5.1.2600 Service Pack 3
Running: rj5xekhw.exe; Driver: C:\DOCUME~1\BSOBOC~1\LOCALS~1\Temp\kwtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT            8A670A68                                                                                                                                                                   ZwConnectPort
SSDT            \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)                                                                                   ZwDeleteValueKey [0xB309BDC0]
SSDT            \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)                                                                                   ZwSetValueKey [0xB309C020]

---- Kernel code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                                                                                   section is writeable [0xB85F1360, 0x37388D, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                                                     SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                                                   SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                                                  SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                                                     snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                                                  SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                                                SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SOFTWARE\Classes\CLSID\{05AF50AA-22D7-AA1D-A4F48F393CAE2202}\{78C6AA3D-BD77-7FA2-B188C82FA3887936}\{102B7915-3D5B-6524-E77B0FDDDBDD9024}                              
Reg             HKLM\SOFTWARE\Classes\CLSID\{05AF50AA-22D7-AA1D-A4F48F393CAE2202}\{78C6AA3D-BD77-7FA2-B188C82FA3887936}\{102B7915-3D5B-6524-E77B0FDDDBDD9024}@RTPQMSV6Q4TS2B3CLDVTIWDONA1  0x01 0x00 0x01 0x00 ...

---- EOF - GMER 1.0.15 ----


0
Comment
Question by:high_sobo
7 Comments
 
LVL 7

Expert Comment

by:Christopher Martinez
ID: 33754899
Its impossible to tell from this log. Its not 'explicitly' stating there is a backdoor however those reg codes are gibberish to us. I would reommend check them out to make sure they are legit. However GMER is not stating that it found anything. Juding off this log file alone i would say there are not rootkits there w/o knowing whats in those reg keys.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33756445
Log looks ok.
Run this quick scanner to see if it detects anything outside of cookies.
Save Xml log if so
http://www.surfright.nl/en/hitmanpro
0
 

Author Comment

by:high_sobo
ID: 33756866
Bahpoopie,

Thanks - you are correct - those registry codes are looking like they came from the viral infection.  I cannot take permission of the final key - I can however view it in GMER - as soon as I went to screw with it with GMER opened - whamo - my computer rebooted!  Sorry for the "sparse" posting, I know it didn't give you a complete picture of what is going on with my pc.  I'm going to look at a way to remove that registry key.

Again, I cannot take permission, I even tried in Safe Mode as the Administrator.  I let you know how I make out.

Thanks
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:high_sobo
ID: 33756878
optoma,

I will try the software and get back to you.

Thanks
0
 
LVL 7

Accepted Solution

by:
Christopher Martinez earned 500 total points
ID: 33757012
With registry key permissions its a bit of a pain to take back control. Generally you need to search for the key its 'calling' generally a dll or whatnot, find it in the registry, change the permissions on THAT key to prevent the virus from takign back control, remove that key thats being called, then go back to the original key that cant be modified, and take control of the *parent* directory then make changes to the problem keys....this is a long drawn out process and i dont envy you on this because it is very frustrating. Basically the root infection file is still active and alive and not being found. This is very common with these type of trojans...it can eventually be removed but if your looking for a gaurantee that it will be gone for good it will never happen. I would highly recommend a rebuild...i hate to say that but these shifting trojans are generally timestamped to reinstall after so many weeks as is...so you never know where the root file is unless you get lucky through poorly designed registry keys.
Sorry to be so vague on this but if you can provide back specifics on what you find throughout your search i will do my best to give you some tips and tricks.
0
 
LVL 2

Expert Comment

by:waldosmx
ID: 33757800
The log is OK.

First i wanna look your MRB because you had a rootkit..

Download here MBRCheck http://ad13.geekstogo.com/MBRCheck.exe 

Post a fresh log
0
 

Author Comment

by:high_sobo
ID: 33783240
Bahpoopie,

I'm taking your advice on the rebuild.  As embarrassing as this is I'm the IT / CAD Manager at a small Arch/Eng Company.  When my PC got infected, I immediately unplugged it from our network.  I'm not a guru such as yourself, but I have cleaned a decent amount of infections on OTHER PEOPLE's computers - but this one is a whopper!  Needless to say I cannot afford my PC infected as I'm in and out of servers, workstations, etc. all day.

I did clean the MBR which Symantec detected as "Boot.Tidserv" with a Kaspersky utility.  Used Malwarebytes, Superantispyware, Spybot, manual attempts, Blacklight, Hijackthis, numerous rootkt detections - but something else is still there - you run a computer for a few years you can gauge it's speed and how it reacts!

I think you are 100% correct my PC is infected with a hidden virus / rootkit.  While attempting to access that registry key, my computer rebooted... just to confirm that it wasn't hardware - which I'm 99% sure it wasn't, I again attempted to access the registry key with GMER - it rebooted - that and your advise it enough for me - I'm re-building it.

Anyway, I'm going to close the case a award you the points - thank you for your help!


0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange Performance Query related to TLS upgrade 6 135
ransomware and redirected folders 9 100
Web Browsers Start Page Hijacker 14 146
How to remove audio ad 4 70
It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question