Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit infection


  • This topic is locked This topic is locked
5 replies to this topic

#1 sapolivaliva

sapolivaliva

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 30 September 2009 - 05:14 AM

hey, I posted this on another thread http://www.bleepingcomputer.com/forums/t/260187/somebody-help-i-might-be-effected/ and was told to move it here.
According to garmanman I might have a Rootkit infection.
here are my DDS scans and RootRepeal scan aswell as a DDS scan attachment. Any assistance would be much appreciated. :( :(






DDS (Ver_09-09-29.01) - NTFSx86
Run by Rachel at 22:57:50.52 on Wed 30/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.173 [GMT 13:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\wuauclt.exe
E:\RootRepeal.exe
E:\DDS\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.7.2.11\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
c:\docume~1\rachel\locals~1\temp\rarsfx0\temp00
c:\docume~1\rachel\locals~1\temp\rarsfx0\temp00
c:\docume~1\rachel\locals~1\temp\rarsfx0\temp00
c:\docume~1\rachel\locals~1\temp\rarsfx0\temp00
c:\docume~1\rachel\locals~1\temp\rarsfx0\temp00
c:\docume~1\rachel\locals~1\temp\rarsfx0\temp00
c:\docume~1\rachel\locals~1\temp\rarsfx0\temp00
c:\docume~1\rachel\locals~1\temp\rarsfx0\temp00
c:\docume~1\rachel\locals~1\temp\rarsfx0\temp00
c:\docume~1\rachel\locals~1\temp\rarsfx0\temp00
c:\docume~1\rachel\locals~1\temp\rarsfx0\temp00
c:\docume~1\rachel\locals~1\temp\rarsfx0\temp00
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=26688
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.7.2.11\CoIEPlg.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1007020.00b\SymEFA.sys [2009-9-1 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1007020.00b\BHDrvx86.sys [2009-9-1 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1007020.00b\cchpx86.sys [2009-9-1 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090916.003\IDSXpx86.sys [2009-9-17 329080]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2004-1-8 5760]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2009-9-1 117640]
R2 Tmesbs;Tmesbs32;c:\program files\toshiba\tme3\tmesbs32.exe [2004-1-8 86016]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2004-1-8 126976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-27 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090923.035\NAVENG.SYS [2009-9-24 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090923.035\NAVEX15.SYS [2009-9-24 1323568]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2004-1-14 28416]
S2 gupdate1c9a5eb11c384f0;Google Update Service (gupdate1c9a5eb11c384f0);c:\program files\google\update\GoogleUpdate.exe [2009-3-16 133104]
S3 kavoomd;kavoomd;c:\windows\system32\drivers\kavoomd.sys [2006-2-20 2816]

=============== Created Last 30 ================

2009-09-26 11:54 --d----- c:\docume~1\rachel\applic~1\Malwarebytes
2009-09-26 11:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-26 11:54 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-26 11:54 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-26 11:54 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-25 19:12 --d----- c:\program files\Free Window Registry Repair
2009-09-25 18:45 50 a------- c:\windows\system32\gasfkylog.dat
2009-09-24 22:02 19,968 a------- c:\windows\system32\gasfkyxpjtxvky.dll
2009-09-24 21:59 25,684 a------- c:\windows\system32\gasfkyopwnkrdl.dat
2009-09-24 21:59 43,008 a------- c:\windows\system32\gasfkyodpuegqh.dll
2009-09-24 21:59 69,120 a------- c:\windows\system32\drivers\gasfkyhtkkdbog.sys
2009-09-22 19:28 --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-09-09 11:17 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-04 12:17 --d----- c:\temp\en_access_2003
2009-09-03 17:13 --d----- C:\Temp

==================== Find3M ====================

2009-09-01 12:43 124,976 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-01 12:43 7,456 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-01 12:43 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-01 12:43 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-08-22 20:21 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-08-05 22:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-18 07:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-14 00:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2006-07-20 13:45 1,031 ---sh--- c:\windows\system\ws32ntfg.dat
2002-04-16 23:27 5 a--sh--- c:\windows\system32\CdI5T.drv

============= FINISH: 22:58:20.37 ===============











ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/30 22:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF52FD000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A81000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF8AB5000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rjtvbn.sys
Image Path: rjtvbn.sys
Address: 0xF8535000 Size: 54016 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0282000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF83D9000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "" at address 0x82e58058

#: 013 Function Name: NtAlertThread
Status: Hooked by "" at address 0x82e84058

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "" at address 0x82bf0300

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "" at address 0x82bbc150

#: 031 Function Name: NtConnectPort
Status: Hooked by "" at address 0x82c6dbd8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf56bc130

#: 043 Function Name: NtCreateMutant
Status: Hooked by "" at address 0x82bcc3e0

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "" at address 0x82bd3140

#: 053 Function Name: NtCreateThread
Status: Hooked by "" at address 0x82d3d840

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "" at address 0x82e51080

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf56bc3b0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf56bc910

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "" at address 0x82bf03d8

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "" at address 0x82bf3180

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "" at address 0x82e58ad8

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "" at address 0x82e61058

#: 097 Function Name: NtLoadDriver
Status: Hooked by "" at address 0x82e46668

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "" at address 0x82d3e480

#: 114 Function Name: NtOpenEvent
Status: Hooked by "" at address 0x82bf7148

#: 122 Function Name: NtOpenProcess
Status: Hooked by "" at address 0x82c1f8a8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "" at address 0x82dd59e8

#: 125 Function Name: NtOpenSection
Status: Hooked by "" at address 0x82bb6258

#: 128 Function Name: NtOpenThread
Status: Hooked by "" at address 0x82e850a8

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "" at address 0x82bbc080

#: 206 Function Name: NtResumeThread
Status: Hooked by "" at address 0x82cd2f28

#: 213 Function Name: NtSetContextThread
Status: Hooked by "" at address 0x82cc4a20

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "" at address 0x82bf3060

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "" at address 0x82bb6220

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf56bcb60

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "" at address 0x82bb6318

#: 254 Function Name: NtSuspendThread
Status: Hooked by "" at address 0x82e66e78

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "" at address 0x82e290d8

#: 258 Function Name: NtTerminateThread
Status: Hooked by "" at address 0x82c400f8

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "" at address 0x82d2a2c0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "" at address 0x82bf0270

Hidden Services
-------------------
Service Name: gasfkylteppfen
Image Path: C:\WINDOWS\system32\drivers\gasfkyhtkkdbog.sys

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "" at address 0x823d6340

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "" at address 0x823cac70

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "" at address 0x823d98e8

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "" at address 0x823e57d8

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "" at address 0x82e82310

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "" at address 0x82bf6160

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "" at address 0x82e9ee48

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "" at address 0x82e77258

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "" at address 0xff39d0d8

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "" at address 0x82c728b0

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:54 AM

Posted 30 September 2009 - 11:05 AM

Hello, and :( to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. :(
  • As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be two people helping you instead of just one, but responses may be somewhat delayed so please be patient!!!!
Please give me a little time to go through your logs. My instructions will be forthcoming.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:54 AM

Posted 01 October 2009 - 01:49 PM

Hello again.

I just wanted to let you know that I have analyzed your logs and am currently awaiting approval from my coach to begin cleaning your computer. We'll be starting soon, so get ready!! :(

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:54 AM

Posted 01 October 2009 - 04:26 PM

Hello sapolivialiva.

I would like to get a new dds.txt log from you. If you have deleted DDS, here is the download link again. After downloading the tool, disconnect from the internet and disable all antivirus protection. In addition, please make sure that you have no other applications running. Run the scan, enable your A/V and then reconnect to the internet. Please paste dds.txt into your next reply.

***************************************************

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
~Blade


In your next reply, please include the following:
dds.txt
gmer.log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:54 AM

Posted 05 October 2009 - 12:46 AM

Do you still require assistance?? Please let us know if you have resolved your problem.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 06 October 2009 - 06:31 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users