Hello,

I cannot get rid of this message: http://www.mediafire.com/?2r9r55at2b6p2hc
Even if I click on OK with “Delete Now” every time it still shows up after restart.
The following message also is shown right after the one above: http://www.mediafire.com/?c4cd7i3b3k8x5zt. I performed after-boot scan according to this suggestion only once becasue it takes forever I do not have several hours to waste without my laptop working. And that scan did not change anything anyway.

To make the matters worse AVAST has a bug that does not allow me to see what is in the “Rootkit Name” column - there is no way to make the whole information in that field visible.

I am not sure if this is the file from my Sygate firewall (old, company was bought by Symantec years ago, but this product still beats all other free firewalls to my best knowledge).

Running the “Scan drivers” AVAST command from the context menu on that dirvers folder shows that everything is OK.

I ran a couple of diagnostic / removal tools: GMER, TDSSKiller, aswMBR, Catchme, OTL, ComboFix but the problems still exists. What these programs agree on in their reports is that there is an entry in the Registry that corresponds to that service and to that “sys” file in the Winows/system32/Drivers folder, but it is disabled. For example (I removed some lines):

Any help is greatly appreciated! ;D

Cheers!

YNOT

Here are some log excerpts:

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software

Service scanning
Service PČ•
C:\WINDOWS\SYSTEM32\Drivers\PČ•
.sys LOCKED 123
Service Püž C:\WINDOWS\SYSTEM32\Drivers\Püž.sys LOCKED 123
Service sptd C:\WINDOWS\System32\Drivers\sptd.sys LOCKED 32
Service Rzdz C:\WINDOWS\SYSTEM32\Drivers\Ŕżđż.sys HIDDEN
Service ĐŢ™ C:\WINDOWS\SYSTEM32\Drivers\ĐŢ™.sys LOCKED 123
Modules scanning
Disk 0 trace - called modules:
ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys spuu.sys >>UNKNOWN [0x8b010938]<<
1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8afc0ab8]
3 CLASSPNP.SYS[f74e7fd7] → nt!IofCallDriver → \Device\000000bb[0x8afa7a28]
5 ACPI.sys[f7253620] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0x8afa2030]
Scan finished successfully

Combofix:
S2 aOË;SyGate for NT, aOË;c:\windows\system32\Drivers\aOË.sys → c:\windows\system32\Drivers\aOË.sys [?]
S2 €ÚË;SyGate for NT, €ÚË;c:\windows\system32\Drivers\€ÚË.sys → c:\windows\system32\Drivers\€ÚË.sys [?]
S2 ?$Ë;SyGate for NT, ?$Ë;c:\windows\system32\Drivers?$Ë.sys → c:\windows\system32\Drivers?$Ë.sys [?]
S2 ¨$Ë;SyGate for NT, ¨$Ë;c:\windows\system32\Drivers\¨$Ë.sys → c:\windows\system32\Drivers\¨$Ë.sys [?]
S2 oOË;SyGate for NT, oOË;c:\windows\system32\Drivers\oOË.sys → c:\windows\system32\Drivers\oOË.sys [?]
S2 Püž;SyGate for NT, Püž;c:\windows\system32\Drivers\Püž.sys → c:\windows\system32\Drivers\Püž.sys [?]

Other Drivers in Memory
NewlyCreated - WG6N
Deregistered - wg3n
Deregistered - wg4n

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe??? ???@???@? ???_???(?@???@
hidden files: 0

Blocked Registry Keys
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\¬ ÚË]
“Type”=dword:00000001
“Start”=dword:00000002
“ErrorControl”=dword:00000001
“ImagePath”=expand:“\SystemRoot\SYSTEM32\Drivers\€ÚË.sys”
“DisplayName”=“SyGate for NT, €ÚË”
“Group”=“TDI”
“DependOnService”=multi:“NDIS\00\00”
“DependOnGroup”=multi:“\00”
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\¬ ÚË\Security]
“Security”=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,
.
Current=1 Default=1 Failed=4 LastKnownGood=3 Sets=1,2,3,4

16:34:51.0484 5128 TDSS rootkit removing tool 2.6.12.0 Oct 21 2011 11:23:48
Everything OK

GMER 1.0.15.15641 - http://www.gmer.net
Running: k5xi4qy3.exe; Driver: C:\DOCUME~1.…\LOCALS~1\Temp\fxtdrpow.sys

SSDT ??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0x9A7C06F0]
SSDT ??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0x9A7C0470]
---- Services - GMER 1.0.15 ----

Service SYSTEM32\Drivers????.sys (*** hidden *** ) [DISABLED] Rzdz ← ROOTKIT !!!
Reg HKLM\SYSTEM\CurrentControlSet\Services\Rzdz
Reg HKLM\SYSTEM\CurrentControlSet\Services\Rzdz@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Rzdz@Start 4
Reg HKLM\SYSTEM\CurrentControlSet\Services\Rzdz@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Rzdz@ImagePath \SystemRoot\SYSTEM32\Drivers????.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\Rzdz@DisplayName SyGate for NT, ???
Reg HKLM\SYSTEM\CurrentControlSet\Services\Rzdz@Group TDI
Reg HKLM\SYSTEM\CurrentControlSet\Services\Rzdz@DependOnService NDIS?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Rzdz@DependOnGroup
Reg HKLM\SYSTEM\CurrentControlSet\Services\Rzdz\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\Rzdz\Security@Security 0x01 0x00 0x14 0x80 …
Reg HKLM\SYSTEM\ControlSet003\Services\Rzdz (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\Rzdz@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\Rzdz@Start 4
Reg HKLM\SYSTEM\ControlSet003\Services\Rzdz@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\Rzdz@ImagePath \SystemRoot\SYSTEM32\Drivers????.sys
Reg HKLM\SYSTEM\ControlSet003\Services\Rzdz@DisplayName SyGate for NT, ???
Reg HKLM\SYSTEM\ControlSet003\Services\Rzdz@Group TDI
Reg HKLM\SYSTEM\ControlSet003\Services\Rzdz@DependOnService NDIS?
Reg HKLM\SYSTEM\ControlSet003\Services\Rzdz@DependOnGroup
Reg HKLM\SYSTEM\ControlSet003\Services\Rzdz\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\Rzdz\Security@Security 0x01 0x00 0x14 0x80 …
Reg HKLM\SYSTEM\ControlSet004\Services\Rzdz (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\Rzdz@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\Rzdz@Start 2
Reg HKLM\SYSTEM\ControlSet004\Services\Rzdz@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet004\Services\Rzdz@ImagePath \SystemRoot\SYSTEM32\Drivers????.sys
Reg HKLM\SYSTEM\ControlSet004\Services\Rzdz@DisplayName SyGate for NT, ???
Reg HKLM\SYSTEM\ControlSet004\Services\Rzdz@Group TDI
Reg HKLM\SYSTEM\ControlSet004\Services\Rzdz@DependOnService NDIS?
Reg HKLM\SYSTEM\ControlSet004\Services\Rzdz@DependOnGroup
Reg HKLM\SYSTEM\ControlSet004\Services\Rzdz\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\Rzdz\Security@Security 0x01 0x00 0x14 0x80 …

OTL Extras logfile created on: 10/24/2011 10:01:42 PM - Run 1
========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\T\21|\5\21|\5]
“Type”=dword:00000001
“Start”=dword:00000004
“ErrorControl”=dword:00000001
“ImagePath”=str(2):“\SystemRoot\SYSTEM32\Drivers\Ŕ\21\xbf\5đ\21\xbf\5.sys”
“DisplayName”=“SyGate for NT, Ŕ\21\xbf\5đ\21\xbf\5”
“Group”=“TDI”
“DependOnService”=str(7):“NDIS\0”
“DependOnGroup”=str(7):“”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\T\21|\5\21|\5\Security]
“Security”=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,…
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
“p0”="C:\Program Files\DAEMON Tools Lite"
“u0”=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,…
“h0”=dword:00000000
“hdf12”=hex:b3,86,e9,a5,64,24,c2,17,67,37,e3,eb,00,1c,09,d5,f2,22,bc,a5,af,…

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
“hdf12”=hex:c7,85,3c,52,7e,f0,24,8d,0c,c8,c1,b2,5b,79,dd,20,ed,d1,d2,f9,8e,…
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T\21|\5\21|\5]
“Type”=dword:00000001
“Start”=dword:00000004
“ErrorControl”=dword:00000001
“ImagePath”=str(2):“\SystemRoot\SYSTEM32\Drivers\Ŕ\21\xbf\5đ\21\xbf\5.sys”
“DisplayName”=“SyGate for NT, Ŕ\21\xbf\5đ\21\xbf\5”
“Group”=“TDI”
“DependOnService”=str(7):“NDIS\0”
“DependOnGroup”=str(7):“”

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\T\21|\5\21|\5\Security]
“Security”=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,…
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
“p0”="C:\Program Files\DAEMON Tools Lite"
“u0”=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,…
“h0”=dword:00000000
“hdf12”=hex:b3,86,e9,a5,64,24,c2,17,67,37,e3,eb,00,1c,09,d5,f2,22,bc,a5,af,…

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
“hdf12”=hex:c7,85,3c,52,7e,f0,24,8d,0c,c8,c1,b2,5b,79,dd,20,ed,d1,d2,f9,8e,…
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\T\21|\5\21|\5]
“Type”=dword:00000001
“Start”=dword:00000002
“ErrorControl”=dword:00000001
“ImagePath”=str(2):“\SystemRoot\SYSTEM32\Drivers\Ŕ\21\xbf\5đ\21\xbf\5.sys”
“DisplayName”=“SyGate for NT, Ŕ\21\xbf\5đ\21\xbf\5”
“Group”=“TDI”
“DependOnService”=str(7):“NDIS\0”
“DependOnGroup”=str(7):“”

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\T\21|\5\21|\5\Security]
“Security”=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,…

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 0

follow the guide here and attach the logs http://forum.avast.com/index.php?topic=53253.0

Hello Pondus,

thank you very much for your reply!

Unfortunately the guide has one big flaw, namely it requires me to post scan results on a public forum. I cannot do this, that information is PRIVATE and SENSITIVE - it would make my system much more vulnerable. I have generated those 3 logs, now how can I send them to somebody PRIVATELY?

My best,

YNOT

I will PM my e-mail

Hello!

It’s been really a long time since i sent my logs to essexboy but have not heard a word from him.

Anybody knows why this might be?

Did you look in your Messages box up the top right, essexboy said he pm’ed you his email.
Sorry didnt notice you already sent the logs, he’ll be on later tonight so he should notice the updated thread.

As it stands at the moment I can see no apparent malware

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hello,

Essexboy - thank you for your reply.

I will send ComboFix report as soon as I run it.

My best

I have sent to essex_boy ComboFix log prepared according to his instructions, now awaiting his response.
My computer behaves exactly as I described in my first post.

Cheers!

I did send a reply that there was nothing showing

Yes, I received it. Thank you.