[JSntgRvr]

Some CD Emulators use a hidden driver which can be seen as a rootkit, and can also interfere with a correct read of the state of the machine by our tools. Please remove these programs from your computer if present, inclucding the SPTD driver as especified here:

http://thespykiller....pic,8973.0.html

Once done, restart the computer and run GMER as follows.

You had previously downloaded a renamed copy of GMER to your C:\ folder.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  
• Click on this link to see a list of programs that should be disabled.
  
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  
• Allow the driver to load if asked.
  
• You may be prompted to scan immediately if it detects rootkit activity.
  
• If you are prompted to scan your system click "No", save the log and post back the results.
  
• If not prompted, click the "Rootkit/Malware" tab.
  
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  
• Select all drives that are connected to your system to be scanned.
  
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
  
• When the scan is finished, click Save to save the scan results to your Desktop.
  
• Save the file as Results.log and copy/paste the contents in your next reply.
  
• Exit the program and re-enable all active protection when done.

[serpntene]

I don't have any cd burn programs on my computer except ISOburn and media player. Should I uninstall both of these?

This post has been edited by serpntene: 08 February 2010 - 07:45 AM

[JSntgRvr]

serpntene, on Feb 8 2010, 09:45 AM, said:

I don't have any cd burn programs on my computer except ISOburn and media player. Should I uninstall both of these?

No. those are not CD emulation programs. Follow the steps to remove the SPTD driver as specified in the link provided, then after a restart, attempt to run GMER.

[JSntgRvr]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Quote

  :filefind
  cdfs*
  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

This post has been edited by JSntgRvr: 08 February 2010 - 09:41 PM

[serpntene]

I ran gmer before and after uninstalling the SPTD drivers. I managed to save the log from before. After uninstalling, the pc froze every time I attempted to save the file. Would the log from before uninstall be useful?




SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:20 on 08/02/2010 by Rebecca Cooper (Administrator - Elevation successful)

========== filefind ==========

Searching for "cdfs*"
C:\cmdcons\CDFS.SY_ --a--- 33703 bytes [04:14 04/08/2004] [04:14 04/08/2004] D8F648CB22A6EBA0A44A1D35AB413757
C:\WINDOWS\$NtServicePackUninstall$\cdfs.sys -----c 63744 bytes [14:35 07/01/2010] [12:00 04/08/2004] CD7D5152DF32B47F4E36F710B35AAE02
C:\WINDOWS\ServicePackFiles\i386\cdfs.sys ------ 63744 bytes [20:03 05/01/2010] [19:14 13/04/2008] C885B02847F5D2FD45A24E219ED93B32
C:\WINDOWS\system32\drivers\cdfs.sys --a--- 63744 bytes [12:00 04/08/2004] [19:14 13/04/2008] C885B02847F5D2FD45A24E219ED93B32

-=End Of File=-

[JSntgRvr]

Quote

I ran gmer before and after uninstalling the SPTD drivers. I managed to save the log from before. After uninstalling, the pc froze every time I attempted to save the file. Would the log from before uninstall be useful?

Rather than saving the file. Keep it opened, then copy and paste its contents in a reply.

Please upload the following files to the Spykiller forum and let me know when done:

C:\WINDOWS\system32\drivers\cdfs.sys
C:\WINDOWS\ServicePackFiles\i386\cdfs.sys

[serpntene]

No report is opening up after the scan. This is why I keep clicking save to try to save the file.

Files uploaded.

[JSntgRvr]

serpntene, on Feb 8 2010, 07:28 PM, said:

No report is opening up after the scan. This is why I keep clicking save to try to save the file.

Files uploaded.

And there is nothing in GMER's window?

Upload those files.

* Copy the entire contents of the Quote Box below to Notepad.
* Name the file as query.bat
* Change the Save as Type to All Files
* and Save it on the desktop
* Once saved, double click on the query.bat file. Post the resulting report.

Quote

@Echo OFF
cd /d %~dp0
Reg Query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdfs > Logit.txt
Start Logit.txt
Del %0

[serpntene]

There's nothing in gmer's window beyond what pops up there within ten seconds of the scan starting. I can rerun it then do a screenie and upload it to photobucket for you -since I can't seem to upload image files here on this forum- if you like.

The files you requested me to upload were uploaded to the spykiller forum.


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdfs
DependOnGroup REG_MULTI_SZ SCSI CDROM Class\0\0
ErrorControl REG_DWORD 0x1
Group REG_SZ File system
Start REG_DWORD 0x4
Type REG_DWORD 0x2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdfs\Enum

[JSntgRvr]

This is so weird. I am as perplex as you are. RootRepeal report is inconclusive. And, although there seems to be a hook in the MBR, seems undetectable.

Go to Start -> Run, type CMD and click OK. At the prompt type the following and press Enter after each command:

cd C:\
MBR.EXE -f

The program will attempt to fix the Master Boot Record and will produce a report. Post the contents of that report in your next reply.

Type Exit at the Command prompt and press Enter to return back to Windows.

[serpntene]

I'm getting really frustrated to be honest. I've never had this much trouble with a virus before. Usually process explorer, mbam, clean. But this is insane.


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

[JSntgRvr]

I know. This has been a hard egg to crack.

Lets perform the test once again:


Go to Start -> Run, type CMD and click OK. At the prompt type the following and press Enter after each command:

cd C:\
MBR.EXE -t

The program will check the Master Boot Record and will produce a report. Post the contents of that report i your next reply.

Type Exit at the Command prompt and press Enter to return back to Windows.

This post has been edited by JSntgRvr: 08 February 2010 - 07:23 PM

[serpntene]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

[JSntgRvr]

I believe you used the wrong switch. -f is to fix, -t is to test.

cd C:\
MBR.EXE -t

[serpntene]

One slip of the finger can make a big difference. Oi.


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK