Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit?


  • Please log in to reply
3 replies to this topic

#1 jdietz

jdietz

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bluefield, WV
  • Local time:04:25 AM

Posted 20 October 2009 - 06:51 PM

To start with my computer is taking longer and longer to start up. I have ran Malwarebytes, Super antispyware, and spybot with no problems showing. I then completly scanned my computer with CA anti virus and anti spyware. I run the ca firewall and real time scan is on.

I was reading your site and read about rootrepeal. Following the instructions I installed and ran rootrepeal and created a log file. It shows 7 hooked items hooked with KmxSbx.sys, 1 file mismatch file and a couple I don't understand.

Am i in the right area and do you want me to upload the log?

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:25 AM

Posted 21 October 2009 - 08:48 PM

Let's see the log, just to be sure
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 jdietz

jdietz
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bluefield, WV
  • Local time:04:25 AM

Posted 22 October 2009 - 08:05 PM

Thank you! I am attaching the log.

OTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/20 19:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF38B9000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D9B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF25CD000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\cavtemp\tempmon_3688_0
Status: Allocation size mismatch (API: 21626880, Raw: 0)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\KmxSbx.sys" at address 0xf370fb35

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\KmxSbx.sys" at address 0xf3710856

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\KmxSbx.sys" at address 0xf3710ba7

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\KmxSbx.sys" at address 0xf370fa99

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\KmxSbx.sys" at address 0xf371057b

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\kmxagent.sys" at address 0xf3d251dc

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\KmxSbx.sys" at address 0xf3710983

==EOF==

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:25 AM

Posted 23 October 2009 - 06:17 PM

Using the RR log you posted

Now that you were successful in creating a RR log you need to post it in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that this log was all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users