1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Windows 7; same bluescreen. rootkit log inside

Discussion in 'Malware and Virus Removal Archive' started by clubECGR, 2010/05/13.

  1. 2010/05/13
    clubECGR

    clubECGR Inactive Thread Starter

    Joined:
    2008/10/15
    Messages:
    170
    Likes Received:
    0
    [Inactive] Windows 7; same bluescreen. rootkit log inside

    To anyone who's available to help me, this is the continuation of what I asked help from broni. We didn't finished it due to me having the decision on installing the brand new Windows 7. I already have Windows 7 and it seems I'm back again with same old problem on my last days with Windows Vista.

    Also, as I stated from before, in my original topic, this is a check up to see if my laptop has any malware-related bluescreen problems or a hardware-related problem. Thank you for your time.

    I just installed a clean Windows 7 as broni suggested instead of upgrading it. What seems to be a surprise is that after re-installing my programs, everytime I run a rootkit scanner, it bluescreen. But after running it in SafeMode, I successfully finished the rootkit scanner.

    There's something wrong with my PC in NORMAL mode where if I run the GMER rootkit scanner, it reboots. Except this time, I successfully scanned it in SafeMode.

    I'll provide a HJT/DDS log if necessary.

    PS: Broni, I hope we can finish this check up. I got Windows 7 installed and there's nothing to stop me from cleaning my PC. I apologize from before.

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-05-13 16:15:23
    Windows 6.1.7600
    Running: s21imyqs.exe; Driver: C:\Users\F@De\AppData\Local\Temp\kwlyqpod.sys


    ---- System - GMER 1.0.15 ----

    INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82435AF8
    INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82435104
    INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 824353F4
    INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8241E2D8
    INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8241D898
    INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 824351DC
    INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82435958
    INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 824356F8
    INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82435F2C
    INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 824361A8

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8204E599 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82072F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\Explorer.EXE[1408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74812494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [747F5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [747F56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7481250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74808573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74804D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [748050CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [748051A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [748066D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [748082CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74808819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7480907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7480E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1408] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74804C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AsDsm.sys (Data Security Manager Driver/Windows (R) Codename Longhorn DDK provider)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

    Device \Driver\ACPI_HAL \Device\00000050 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \FileSystem\fastfat \Fat 93D36130

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243a02cfb
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243a02cfb@0026682e9d0b 0x4F 0x47 0x0F 0x31 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243a02cfb@0026cc1dd4fe 0x65 0x28 0xDC 0xDA ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243a02cfb (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243a02cfb@0026682e9d0b 0x4F 0x47 0x0F 0x31 ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243a02cfb@0026cc1dd4fe 0x65 0x28 0xDC 0xDA ...

    ---- Files - GMER 1.0.15 ----

    File C:\ADSM_PData_0150 0 bytes
    File C:\ADSM_PData_0150\DB 0 bytes
    File C:\ADSM_PData_0150\DB\SI.db 624 bytes
    File C:\ADSM_PData_0150\DB\UL.db 16 bytes
    File C:\ADSM_PData_0150\DB\VL.db 16 bytes
    File C:\ADSM_PData_0150\DB\_avt 512 bytes
    File C:\ADSM_PData_0150\DragWait.exe 253952 bytes executable
    File C:\ADSM_PData_0150\_avt 512 bytes
    File C:\Program Files\asus\ASUS Data Security Manager\driver\x86 0 bytes
    File C:\Program Files\asus\ASUS Data Security Manager\driver\x86\AsDsm.sys 29752 bytes executable
    File C:\Program Files\asus\ASUS Data Security Manager\driver\x86\_avt 512 bytes

    ---- EOF - GMER 1.0.15 ----
     
    Last edited: 2010/05/13
    clubECGR,
    #1
  2. 2010/05/13
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I don't think, you have reasons to worry.
    With GMER, it happens sometimes, even on perfectly clean system.
    Your log doesn't indicate any issue.
    Since it was a clean install, I don't see any reasons to run any additional scans.
     
    broni,
    #2


  3. to hide this advert.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...