Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit infection, please help


  • Please log in to reply
1 reply to this topic

#1 w111ser

w111ser

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 15 July 2009 - 01:45 PM

Hello, I was told to post a topic here about a rootkit infection I have. First off, I haven't downloaded or ran the DDS tool yet, as it says to in the guide. I'm not really that familiar with computers, so I didn't want to do it just yet, so I need to know if I need to do that for sure!

Malwarebytes has cleaned up a lot of my problems, but it keeps bringing up 3 infections that it doesn't seem to be able to get rid of: rootkit.trace, rootkit.agent and trojan.agent. I tried downloading sophos, which found over 60 infections, but did not recommend cleanup on any of them, so I haven't done anything further with that scan. I was told by a poster in another thread to install RootRepeal, which I followed the directions and this is the report I got:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/07/15 13:00
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 000009D0
Image Path: 000009D0
Address: 0x8653E000 Size: 41218 File Visible: No Signed: -
Status: -

Name: 000009D0
Image Path: 000009D0
Address: 0xEE0F3000 Size: 76032 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: 31.tmp
Image Path: C:\WINDOWS\system32\31.tmp
Address: 0xF7B20000 Size: 6144 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE9DC000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B0A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xED9EB000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF7886000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xEE238000 Size: 57344 File Visible: No Signed: -
Status: -

SSDT
-------------------
ServiceTable Hooked [0x869a41b0]!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: winlogon.exe (PID: 632) Address: 0x00650000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: winlogon.exe (PID: 632) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: services.exe (PID: 680) Address: 0x00650000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: services.exe (PID: 680) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: lsass.exe (PID: 692) Address: 0x00720000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: lsass.exe (PID: 692) Address: 0x10000000 Address: 45056

Object: Hidden Thread [ETHREAD: 0x86bc52a0, TID: 1516]
Process: svchost.exe (PID: 868) Address: 0x00de1f3c Address: -

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 868) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UAC2f87.tmpuxtukjwbnsx.dll]
Process: svchost.exe (PID: 868) Address: 0x00a00000 Address: 204800

Object: Hidden Module [Name: UACweetasqucfunmrn.dll]
Process: svchost.exe (PID: 868) Address: 0x00af0000 Address: 73728

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 868) Address: 0x00d90000 Address: 45056

Object: Hidden Module [Name: UACbrnnuxtukjwbnsx.dll]
Process: svchost.exe (PID: 868) Address: 0x03140000 Address: 204800

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 868) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 868) Address: 0x034c0000 Address: 49152

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 952) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 952) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 1048) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 1048) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 1116) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 1116) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 1200) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 1200) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: brsvc01a.exe (PID: 1400) Address: 0x00930000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: brsvc01a.exe (PID: 1400) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: spoolsv.exe (PID: 1428) Address: 0x00980000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: spoolsv.exe (PID: 1428) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: brss01a.exe (PID: 1440) Address: 0x00940000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: brss01a.exe (PID: 1440) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: Explorer.EXE (PID: 156) Address: 0x00c10000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: Explorer.EXE (PID: 156) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: PRISMSVR.EXE (PID: 176) Address: 0x009c0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: PRISMSVR.EXE (PID: 176) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: dad9.exe (PID: 404) Address: 0x00a20000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: dad9.exe (PID: 404) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 504) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 504) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: AOLacsd.exe (PID: 536) Address: 0x00b20000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: AOLacsd.exe (PID: 536) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 552) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 552) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: MDM.EXE (PID: 696) Address: 0x009b0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: MDM.EXE (PID: 696) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: sqlservr.exe (PID: 1028) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: sqlservr.exe (PID: 1028) Address: 0x00f30000 Address: 49152

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: PRISMSVC.EXE (PID: 1084) Address: 0x006c0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: PRISMSVC.EXE (PID: 1084) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: QBCFMonitorService.exe (PID: 1176) Address: 0x00710000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: QBCFMonitorService.exe (PID: 1176) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 1680) Address: 0x00980000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 1680) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: QBDBMgrN.exe (PID: 1792) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: QBDBMgrN.exe (PID: 1792) Address: 0x00730000 Address: 49152

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 1832) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 1832) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: wdfmgr.exe (PID: 1908) Address: 0x005e0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: wdfmgr.exe (PID: 1908) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: YahooAUService.exe (PID: 1996) Address: 0x009e0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: YahooAUService.exe (PID: 1996) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: sargui.exe (PID: 3936) Address: 0x00a10000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: sargui.exe (PID: 3936) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: iexplore.exe (PID: 3028) Address: 0x00a10000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: iexplore.exe (PID: 3028) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: iexplore.exe (PID: 2188) Address: 0x00a10000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: iexplore.exe (PID: 2188) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: Iexplore.exe (PID: 1964) Address: 0x00a10000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: Iexplore.exe (PID: 1964) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: Iexplore.exe (PID: 3316) Address: 0x00a10000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: Iexplore.exe (PID: 3316) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: RootRepeal.exe (PID: 3712) Address: 0x00af0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: RootRepeal.exe (PID: 3712) Address: 0x10000000 Address: 45056

==EOF==


If someone could please help me get rid of this, I would SO appreciate it! Thank so much!!

Edited by garmanma, 15 July 2009 - 03:57 PM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:53 PM

Posted 15 July 2009 - 04:41 PM

Let's verify that Rootrepeal won't give you a hidden file report

Just use the file tab at the bottom of the window, select scan and save report

Posted Image
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users