OK Chris, 6 hours time difference. Response time is obviously also dependent on any posting backlog which can also occur.
AVG Guru
Hi Chris,
Your system seems to be clean, it is just detection of rootkit like behavior.
Uninstalling Webroot's Spy Sweeper might help.
Thanks
Thanks for the answer, Alan. Look forward to the help.
I have an older PC (Windows Vista SP2, 3 GB RAM, 320 GB Hard Drive) that was never really cared for. I installed CCleaner and removed over 7 GB of temp, fixed over 1,100 Registry entries. I uninstalled all toolbars, reduced the search engines to just 1, installed Malwarebytes (found PUM.Hijack.StartMenu) and cleaned. I installed AVG 2015 and ran. It found 12 items - 1 virus and 11 rootkits. The virus cleaned.
I downloaded Malwarebytes Anti-rootkit and ran. It found nothing wrong. I also tried TDDSKiller and nothing found, either. I uninstalled AVG 2015, reboot and reinstalled. Reran the scans and found the same rootkits.
Can you please help me get rid of these? I'm copying the Gmer and exported AVG Report.
GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-11-30 15:27:54
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 Hitachi_HDT725032VLA380 rev.V54OA73A 298.09GB
Running: tool.exe.exe; Driver: C:\Users\Owner\AppData\Local\Temp\fxldapoc.sys
---- System - GMER 2.1 ----
SSDT 858CB100 ZwAllocateVirtualMemory
SSDT 85902318 ZwCreateProcess
SSDT 85902270 ZwCreateProcessEx
SSDT 858CB3D0 ZwCreateThread
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0xC443C6E0]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0xC443C800]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0xC443C010]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0xC443C4D0]
SSDT 858CB178 ZwQueueApcThread
SSDT 858D0FA8 ZwReadVirtualMemory
SSDT 858CB268 ZwSetContextThread
SSDT 85902180 ZwSetInformationProcess
SSDT 858CB2E0 ZwSetInformationThread
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0xC443C300]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0xC443C3E0]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0xC443C120]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0xC443C210]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0xC443C5E0]
SSDT 858D0EB8 ZwCreateThreadEx
SSDT 858D0F30 ZwCreateUserProcess
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!KeSetEvent + 131 820E277C 4 Bytes [00, B1, 8C, 85]
.text ntkrnlpa.exe!KeSetEvent + 209 820E2854 8 Bytes [18, 23, 90, 85, 70, 22, 90, …]
.text ntkrnlpa.exe!KeSetEvent + 221 820E286C 4 Bytes [D0, B3, 8C, 85]
.text ntkrnlpa.exe!KeSetEvent + 3BD 820E2A08 8 Bytes [E0, C6, 43, C4, 00, C8, 43, …]
.text ntkrnlpa.exe!KeSetEvent + 3F1 820E2A3C 4 Bytes [10, C0, 43, C4]
.text …
---- User code sections - GMER 2.1 ----
.text C:\Program Files\CCleaner\CCleaner.exe[2736] USER32.dll!SetScrollRange 762AD185 5 Bytes JMP 00AA227D C:\Program Files\CCleaner\CCleaner.exe
.text C:\Program Files\CCleaner\CCleaner.exe[2736] USER32.dll!GetScrollInfo 762AF073 5 Bytes JMP 00AA2210 C:\Program Files\CCleaner\CCleaner.exe
.text C:\Program Files\CCleaner\CCleaner.exe[2736] USER32.dll!ShowScrollBar 762AF8AE 5 Bytes JMP 00AA2243 C:\Program Files\CCleaner\CCleaner.exe
.text C:\Program Files\CCleaner\CCleaner.exe[2736] USER32.dll!SetScrollInfo 762B71D8 5 Bytes JMP 00AA22B4 C:\Program Files\CCleaner\CCleaner.exe
.text C:\Program Files\CCleaner\CCleaner.exe[2736] USER32.dll!EnableScrollBar 762CAF53 5 Bytes JMP 00AA22E8 C:\Program Files\CCleaner\CCleaner.exe
.text C:\Program Files\CCleaner\CCleaner.exe[2736] USER32.dll!GetScrollPos 762D337D 5 Bytes JMP 00AA21EB C:\Program Files\CCleaner\CCleaner.exe
.text C:\Program Files\CCleaner\CCleaner.exe[2736] USER32.dll!GetScrollRange 762D34A5 5 Bytes JMP 00AA21B3 C:\Program Files\CCleaner\CCleaner.exe
.text C:\Program Files\CCleaner\CCleaner.exe[2736] USER32.dll!SetScrollPos 762D3602 5 Bytes JMP 00AA218E C:\Program Files\CCleaner\CCleaner.exe
---- Devices - GMER 2.1 ----
AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys
---- EOF - GMER 2.1 ----
"Whole Computer Scan"
"Medium severity";"11";"0";"11"
"Scanned folders:";"Scan Whole Computer"
"Started:";"11/28/2014, 4:01:50 AM"
"Finished:";"11/28/2014, 4:38:31 AM"
"Scanned items:";"196007"
"Launched by:";"Owner"
"Name";"Description";"Status";"Status";"Priority"
"<unknown>";"Service function NtSetInformationThread hook -> 0xFFFFFFFF858CB2E0";"Infected";"Infected";"Medium"
"<unknown>";"Service function NtCreateUserProcess hook -> 0xFFFFFFFF858D0F30";"Infected";"Infected";"Medium"
"<unknown>";"Service function NtCreateThreadEx hook -> 0xFFFFFFFF858D0EB8";"Infected";"Infected";"Medium"
"<unknown>";"Service function NtReadVirtualMemory hook -> 0xFFFFFFFF858D0FA8";"Infected";"Infected";"Medium"
"<unknown>";"Service function NtSetContextThread hook -> 0xFFFFFFFF858CB268";"Infected";"Infected";"Medium"
"<unknown>";"Service function NtAllocateVirtualMemory hook -> 0xFFFFFFFF858CB100";"Infected";"Infected";"Medium"
"<unknown>";"Service function NtCreateProcessEx hook -> 0xFFFFFFFF85902270";"Infected";"Infected";"Medium"
"<unknown>";"Service function NtCreateThread hook -> 0xFFFFFFFF858CB3D0";"Infected";"Infected";"Medium"
"<unknown>";"Service function NtSetInformationProcess hook -> 0xFFFFFFFF85902180";"Infected";"Infected";"Medium"
"<unknown>";"Service function NtQueueApcThread hook -> 0xFFFFFFFF858CB178";"Infected";"Infected";"Medium"
"<unknown>";"Service function NtCreateProcess hook -> 0xFFFFFFFF85902318";"Infected";"Infected";"Medium"
OK Chris, 6 hours time difference. Response time is obviously also dependent on any posting backlog which can also occur.
AVG Guru
Hello Zbynek,
I appreciate your review and you were completely correct. Spy Sweeper didn't show in the Programs and Features and or under All Programs.
I found it had all the installation files under Program Files and also loaded as a service. I had to go to Webroot's website for an unintstaller. I ran that successfully. I rebooted and checked the registry to make sure and there were no instances. I scanned with AVG and nothing was found.
Many thanks! Have a great New Year!
Chris, When available, A member of the official AVG Community Support in Brno (http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=190509) will see your topic, analyse your info & respond but please bear in mind that it's now the weekend.
AVG Guru
Thanks for the answer, Alan. Look forward to the help.