Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG detecting Trojan horse Rootkit


  • Please log in to reply
2 replies to this topic

#1 BoB_50

BoB_50

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 14 August 2009 - 01:34 AM

Hi

I've been following this conversation in the hopes that I can fix my similar problem. I have run MBAM and RootRepeal a couple of times, however, I still keep getting messages from avg to say that I have a couple of viruses. Not the rootkit, that one has gone, but a trojan horse back door and a Win32/heur ?

I haven't run the SAS software or the ATF yet. Should I just carry on to the end and see what happens?

I also have error messages on boot up. One is regarding something in \programfiles\my web the full address is truncated so I cant read it and the other saying there is a problem with install.exe. Is it all connected?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:09 PM

Posted 14 August 2009 - 02:44 PM

Hello Bob as this thread is done we should start a new topic.. You may have slight differences.
I am going to split this to it's own topic and name it... AVG detecting Trojan horse Rootkit
Please post your Rootrepeal log..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 BoB_50

BoB_50
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 14 August 2009 - 03:10 PM

Hi

Thanks. This is the log

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/14 02:18
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF0098000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF9AE6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: jdfii.sys
Image Path: jdfii.sys
Address: 0xF958C000 Size: 61440 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEEEA3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf028d0b0

Stealth Objects
-------------------
Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 3764) Address: 0x01000000 Size: 20480

==EOF==




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users