[Closed] Following Advice from Windows 7 Forum

  1. 04-12-2011  #1
    theoldandgrey
    theoldandgrey is offline Valued Member

    [Closed] Following Advice from Windows 7 Forum

    Hi
    I have been having considerable problems with my pc shutting down and Digerati advised I should ask you for help before proceeding further down the line! I therefore post the logs as requested. Considerable problems ruinning GMER - pc shut down several times whilst running it so maybe haven't rescued all the info. On Digerati's advice I ran MBAM which discovered 30+ infections including 2 trojans - VUndo - I cleared these and as you will see the next log is clean:

    Malwarebytes' Anti-Malware 1.51.2.1300
    Malwarebytes : Free anti-malware, anti-virus and spyware removal download

    Database version: 8307

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 8.0.7601.17514











    04 12 11 10:59:11
    mbam-log-2011-12-04 (10-59-11).txt

    Scan type: Quick scan
    Objects scanned: 225169
    Time elapsed: 16 minute(s), 29 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    The next one is GMER:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-04 19:31:54
    Windows 6.1.7601 Service Pack 1
    Running: GMER.exe; Driver: C:\Users\Vivian\AppData\Local\Temp\uxdiypod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0x8C06D080]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0x8C06DBDE]
    SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\Rap portCerberus\baseline\RapportCerberus32_32301.sys ZwCreateThreadEx [0x89B357B0]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0x8C06DDD6]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x8C0715AC]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x8C0715DE]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwLoadKey [0x8C071740]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenFile [0x8C06DCF6]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x9C166F3C]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenThread [0x8C06D3EA]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwProtectVirtualMemory [0x8C06D51C]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x8C0716B6]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x8C071620]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x8C071652]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0x8C071684]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetContextThread [0x8C06D026]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0x8C06DE7C]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetValueKey [0x8C071544]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0x8C06CFC0]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x9C166FE4]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x9C167080]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9C16711C]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!ZwSaveKey + 13CD 82C899C9 1 Byte [06]
    .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82CA94E2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntoskrnl.exe!KeRemoveQueueEx + 141B 82CB07B8 4 Bytes [80, D0, 06, 8C]
    .text ntoskrnl.exe!KeRemoveQueueEx + 1477 82CB0814 4 Bytes [DE, DB, 06, 8C]
    .text ntoskrnl.exe!KeRemoveQueueEx + 14CF 82CB086C 4 Bytes [B0, 57, B3, 89] {MOV AL, 0x57; MOV BL, 0x89}
    .text ntoskrnl.exe!KeRemoveQueueEx + 1507 82CB08A4 8 Bytes [D6, DD, 06, 8C, AC, 15, 07, ...]
    .text ntoskrnl.exe!KeRemoveQueueEx + 1517 82CB08B4 4 Bytes [DE, 15, 07, 8C]
    .text ...

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[320] ntdll.dll!KiUserApcDispatcher 779A6F58 5 Bytes JMP 00445210 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[320] WS2_32.dll!getaddrinfo 75E34296 5 Bytes JMP 71A50022
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[320] WS2_32.dll!gethostbyname 75E47673 5 Bytes JMP 71AE0022
    .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1024] ntdll.dll!KiUserApcDispatcher 779A6F58 5 Bytes JMP 00414D50 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
    .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1024] WS2_32.dll!getaddrinfo 75E34296 5 Bytes JMP 71A40022
    .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1024] WS2_32.dll!gethostbyname 75E47673 5 Bytes JMP 71AD0022

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\Explorer.EXE[588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74612437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.1.7601.17514_none_72d18a4386696c8 0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [745F5600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.1.7601.17514_none_72d18a4386696c8 0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [745F56BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.1.7601.17514_none_72d18a4386696c8 0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [746124B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.1.7601.17514_none_72d18a4386696c8 0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74608514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.1.7601.17514_none_72d18a4386696c8 0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74604CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.1.7601.17514_none_72d18a4386696c8 0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7460506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.1.7601.17514_none_72d18a4386696c8 0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74605144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.1.7601.17514_none_72d18a4386696c8 0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74606671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.1.7601.17514_none_72d18a4386696c8 0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7460826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.1.7601.17514_none_72d18a4386696c8 0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [746087BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.1.7601.17514_none_72d18a4386696c8 0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7460901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.1.7601.17514_none_72d18a4386696c8 0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7460E1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.1.7601.17514_none_72d18a4386696c8 0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[588] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74604BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.1.7601.17514_none_72d18a4386696c8 0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    Device \Driver\ACPI_HAL \Device\00000047 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{4 C5784CC-7F5D-11E0-AEF6-806E6F6E6963} 12272087328

    ---- EOF - GMER 1.0.15 ----
    Last edited by theoldandgrey; 04-12-2011 at 08:23 PM.
  2. 04-12-2011  #2
    broni
    broni is offline Senior Member
    Save 20% on AVG Internet Security 2012 Suite!
    Do NOT double post.
    This topic is closed.
Closed Thread
« Please Help... | [Closed] Following Advice from Windows 7 Forum »