Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse Rootkit


  • Please log in to reply
4 replies to this topic

#1 djcherry

djcherry

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 16 August 2009 - 01:23 AM

Hello there,

I to am having this same problem. I have tried everything so I am really hoping this works. I followed the instructions that you mentioned to the previous poster. I will post the logs that you mentioned.

Thank you very much

Malwarebytes' Anti-Malware 1.40
Database version: 2633
Windows 5.1.2600 Service Pack 3

8/16/2009 12:40:54 AM
mbam-log-2009-08-16 (00-40-54).txt

Scan type: Quick Scan
Objects scanned: 124207
Time elapsed: 12 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\SKYNETcfampvwu.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNETkjgotvyx.dat (Trojan.Agent) -> Quarantined and deleted successfully.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/16 01:01
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xECF4C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A0D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7B19000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8226000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\administrator\local settings\application data\mozilla\firefox\profiles\r8y63u6z.default\cache\_cache_001_
Status: Size mismatch (API: 745633, Raw: 744845)

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a05ad18

==EOF==

BC AdBot (Login to Remove)

 


#2 djcherry

djcherry
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 16 August 2009 - 02:58 AM

Please help! Every time that I start my computer, AVG detects that i am infected with the trojan horse rootkit-pakes.L. When I am browsing the internet, it seems that I keep getting re-directed to pages that I do not click on. It is very frustrating. I never enter websites that could be harmful so Im not sure what happened. I will post my log from malwarebytes' anti-malware. Any help would be greatly appreciated.

Thank You
DJ


Malwarebytes' Anti-Malware 1.40
Database version: 2633
Windows 5.1.2600 Service Pack 3

8/16/2009 12:40:54 AM
mbam-log-2009-08-16 (00-40-54).txt

Scan type: Quick Scan
Objects scanned: 124207
Time elapsed: 12 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\SKYNETcfampvwu.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNETkjgotvyx.dat (Trojan.Agent) -> Quarantined and deleted successfully.

#3 djcherry

djcherry
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 16 August 2009 - 03:03 AM

I probably should've mentioned that I try and delete these detections when AVG gives the option, but it says that they are not able to be healed. If this keeps up, I will not be able to be healed!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:25 AM

Posted 16 August 2009 - 10:59 AM

Hello I put all your posts in the same topic,so we won't be all over the forum.

Please rerun Rootrepeal... This time select onlt the FILES tab at the bottom.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 djcherry

djcherry
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 17 August 2009 - 04:27 PM

HI boopme,

Thank you very much for your help. I re-ran rootrepeal and the results are as follows:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/17 16:25
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\administrator\local settings\temp\etilqs_hby4xh3tklc1c0hmeges
Status: Allocation size mismatch (API: 32768, Raw: 0)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users