Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

probable infecion by win32.trojan.generic


  • Please log in to reply
9 replies to this topic

#1 alexsuh

alexsuh

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 23 August 2009 - 03:00 PM

hello,
after downloading a file my antivirus(AVAST 4) alerted me of win32.trojan.generic
in C:\WINDOWS\TEMP\<long string>\<another long string>.exe
the av informed me of this 3 times but each time I selected delete\repair\"move to chest" the av poped out "cannot find file specified"
I suspect the trojan propebly got executed and hide itself before my av could handle him.
luckly it was in a limited account.
after reboot the coumputer came to a grinding halt.
I rebooted to safe mode into administrator and ran Malwarebytes' , and super antispyware which found a trojan exe under stratup and removed him.
after a second reboot superantispyware found a it again but after third reboot it found nothing.
after reading horror stories about rootkits I just want to make sure its all gone
can you help me ?
Thanks ,Alex

System:
windows xp sp 3
av : AVAST AV home edition
firewall: ghostwall
peerguardian

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:30 AM

Posted 23 August 2009 - 03:10 PM

Hello Alex and :thumbsup: to BleepingComputer.

Let's see what we're dealing with here.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."
  • Go HERE, HERE, or HERE and download RootRepeal.zip to your Desktop.
Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 alexsuh

alexsuh
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 23 August 2009 - 04:02 PM

hello,
ran rootrepeal with av and firewall off
here is the report

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/23 23:42
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xF71C2000 Size: 98304 File Visible: No Signed: -
Status: -

Name:
Image Path:
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: aoptnjlb.SYS
Image Path: C:\WINDOWS\System32\Drivers\aoptnjlb.SYS
Address: 0xF577C000 Size: 417792 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF28FB000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79E7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_NTPNP0862
Image Path: \Driver\PCI_NTPNP0862
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7112000 Size: 49152 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x866061e8 Size: 121

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_CREATE]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_CLOSE]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_READ]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_WRITE]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_QUERY_EA]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_SET_EA]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_CLEANUP]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_POWER]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: aoptnjlbЅఠ印䅳渨, IRP_MJ_PNP]
Process: System Address: 0x8623a388 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8637a2f8 Size: 99

Object: Hidden Code [Driver: vburner, IRP_MJ_CREATE]
Process: System Address: 0x866071e8 Size: 121

Object: Hidden Code [Driver: vburner, IRP_MJ_CLOSE]
Process: System Address: 0x866071e8 Size: 121

Object: Hidden Code [Driver: vburner, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x866071e8 Size: 121

Object: Hidden Code [Driver: vburner, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x866071e8 Size: 121

Object: Hidden Code [Driver: vburner, IRP_MJ_POWER]
Process: System Address: 0x866071e8 Size: 121

Object: Hidden Code [Driver: vburner, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x866071e8 Size: 121

Object: Hidden Code [Driver: vburner, IRP_MJ_PNP]
Process: System Address: 0x866071e8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE]
Process: System Address: 0x866741e8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLOSE]
Process: System Address: 0x866741e8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x866741e8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x866741e8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_POWER]
Process: System Address: 0x866741e8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x866741e8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_PNP]
Process: System Address: 0x866741e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x861cdc90 Size: 99

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x866751e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x866751e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x866751e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x866751e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x866751e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x866751e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x866751e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x866751e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x866751e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x866751e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x866751e8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x864631e8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x864631e8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x864631e8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x864631e8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x864631e8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x864631e8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x864631e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x866091e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x866091e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x866091e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x866091e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x866091e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x866091e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x866091e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x866091e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x866091e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x866091e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x866091e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x862117a0 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x862117a0 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x862117a0 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x862117a0 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x862117a0 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x862117a0 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x864571e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x864571e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x864571e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x864571e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x864571e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x864571e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x864571e8 Size: 121

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x861f92c8 Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x863778e0 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x86241850 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x862237a0 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_READ]
Process: System Address: 0x8625ac10 Size: 11

Object: Hidden Code [Driver: Msfsȅ఍敓ˆ, IRP_MJ_READ]
Process: System Address: 0x86213df0 Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x86494df0 Size: 11

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_CREATE]
Process: System Address: 0x86245430 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_CLOSE]
Process: System Address: 0x86245430 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_READ]
Process: System Address: 0x8649c718 Size: 11

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86245430 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86245430 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86245430 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86245430 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86245430 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86245430 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86245430 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86245430 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_CLEANUP]
Process: System Address: 0x86245430 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_PNP]
Process: System Address: 0x86245430 Size: 121

==EOF==

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:30 AM

Posted 23 August 2009 - 04:07 PM

Hello :thumbsup:

hello,
after downloading a file my antivirus(AVAST 4) alerted me of win32.trojan.generic
in C:\WINDOWS\TEMP\<long string>\<another long string>.exe


I have a couple questions about this.

1.) Do you still have the file you downloaded on your computer?
2.) Do you happen to have the exact filepath that avast reported? You should be able to dig it out of Avast's records if you don't have it on hand.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 alexsuh

alexsuh
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 23 August 2009 - 04:44 PM

hi,
The infection appeared after visiting a web site
www.torrentreactor.net
and download
download197.filefront.com
dont sure which one triggered the reaction.

I couldnt find a trace o the filename of infection in avast logs .
this are the only things he registered today:


sorry,
Alex

Edited by The weatherman, 23 August 2009 - 05:27 PM.
Removed links. Tw


#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:30 AM

Posted 23 August 2009 - 06:43 PM

Alright. . . the RootRepeal log looked clean, but I want to try another ARK scanner just to make sure we didn't miss anything.

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
~Blade


In your next reply, please include the following:
sarscan.log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 alexsuh

alexsuh
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 24 August 2009 - 03:04 AM

hi,
finished the scan, sophos didnt find anithing mark for deletion.
sophos report:


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 24/08/2009 at 09:31:56
User "we" on computer "MAMA"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\drivers\atapi.sys
Hidden: file C:\Documents and Settings\we2.MAMA\Local Settings\Application Data\Microsoft\Messenger\eransuh@walla.co.il\SharingMetadata\slavafidel@yahoo.com\DFSR\Staging\CS{730181CE-3638-57A5-A435-9CB3DC7F24AB}\01\10-{730181CE-3638-57A5-A435-9CB3DC7F24AB}-v1-{DE84B51D-51D7-4027-B161-A2AF2178D83E}-v10-Downloaded.frx
Hidden: file C:\WINDOWS\system32\drivers\sptd.sys
Hidden: file C:\Documents and Settings\we\Local Settings\Application Data\Microsoft\Messenger\eransuh@walla.co.il\SharingMetadata\slavafidel@yahoo.com\DFSR\Staging\CS{730181CE-3638-57A5-A435-9CB3DC7F24AB}\01\10-{730181CE-3638-57A5-A435-9CB3DC7F24AB}-v1-{67C67434-B02E-4DE2-B77D-AB175480C4A2}-v10-Downloaded.frx
Info: Starting disk scan of D: (NTFS).
Hidden: file D:\eclipse-java-europa-fall2-win32\eclipse\plugins\org.eclipse.datatools.source_1.5.2.200802201\src\org.eclipse.datatools.connectivity.sqm.server.ui_1.0.0.200709141\schema\org_eclipse_datatools_connectivity_sqm_server_ui_ServerExplorerInitializationProvider.html
Stopped logging on 24/08/2009 at 10:35:15

Alex

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:30 AM

Posted 24 August 2009 - 08:53 AM

Hello :flowers:

I don't see any evidence of rootkit activity. :thumbsup: Are you having any symptoms of malware infection?

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 alexsuh

alexsuh
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 24 August 2009 - 10:21 AM

:thumbsup:
graet ,thanks!
I imagined than it would take more than a couple of reboots and scan by generic tools to get rid of this nasty' glad I was wrong!
Thanks!
Alex
:flowers: :trumpet: :inlove:

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:30 AM

Posted 24 August 2009 - 04:13 PM

It was my pleasure :thumbsup:

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users