Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse Rootkit-Pakes.U problem


  • Please log in to reply
9 replies to this topic

#1 xfactor923

xfactor923

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 23 October 2009 - 09:20 PM

Hello. Thanks in advance for any assistance you may provide.

I'm using a Lenovo 3000 C100 laptop running Windows XP Professional.

While running a scan with AVG (version 9.0.698) the program detected Trojan horse Rootkit-Pakes.U infecting my C:\WINDOWS\system32\drivers\atapi.sys file. AVG lists the problem as "white-list" and will not remove or repair because it is a critical system file.

I've run Malware Bytes both in normal and safe mode, with the safe mode scan performed last. The Malware Bytes full system scan in safe mode discovered zero problems.

Other than the AVG pop-up I get about once every three hours reminding me of the infected file I can't think of any additional details that would be helpful.

If you need further information or would like to perform any additional tasks please let me know.

Again, you assistance is greatly appreciated.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:24 PM

Posted 23 October 2009 - 11:08 PM

Hello and welcome.
if this is Vista you may need to right click on the the desktop icon we create and select run as Administrator.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 xfactor923

xfactor923
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 25 October 2009 - 12:47 PM

Below is the requested RootRepeal report.... sorry for the delayed response, I thought I had enabled tread response emails:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/25 13:36
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9320000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8AC5000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA195000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\RRbackups
Status: Locked to the Windows API!

Path: \\?\C:\RRbackups\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\bt0.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\bt1.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\bt2.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\C
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings
Status: Invisible to the Windows API!

Path: C:\RRbackups\hints.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\osfilter.txt
Status: Invisible to the Windows API!

Path: C:\RRbackups\regcerts.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\rr.log
Status: Invisible to the Windows API!

Path: C:\RRbackups\SAM
Status: Invisible to the Windows API!

Path: C:\RRbackups\system
Status: Invisible to the Windows API!

Path: C:\RRbackups\system.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\tvt.txt
Status: Invisible to the Windows API!

Path: C:\RRbackups\usersids.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\0
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\LocalService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\RENSYS06
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\0\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\0\Data27
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data46
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data65
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data0
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data1
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data10
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data11
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data12
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data13
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data14
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data15
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data16
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data17
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data18
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data19
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data2
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data20
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data21
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data22
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data23
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data24
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data25
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data26
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data28
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data29
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data3
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data30
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data31
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data32
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data33
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data34
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data35
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data36
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data37
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data38
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data39
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data4
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data40
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data41
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data42
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data43
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data44
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data45
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data47
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data48
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data49
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data5
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data50
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data51
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data52
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data53
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data54
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data55
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data56
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data57
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data58
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data59
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data6
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data60
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data61
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data62
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data63
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data64
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data66
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data67
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data68
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data69
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data7
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data70
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data71
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data72
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data73
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data74
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data75
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data76
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data77
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data78
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data79
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data8
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data80
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data81
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data82
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data83
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data84
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data85
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data86
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data87
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data88
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data9
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\dats
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\EFSFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\HashFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Info
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\TOCFile
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\1\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\1\Data27
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data46
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data65
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data0
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data1
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data10
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data11
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data12
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data13
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data14
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data15
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data16
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data17
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data18
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data19
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data2
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data20
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data21
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data22
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data23
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data24
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data25
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data26
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data28
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data29
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data3
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data30
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data31
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data32
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data33
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data34
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data35
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data36
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data37
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data38
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data39
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data4
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data40
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data41
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data42
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data43
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data44
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data45
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data47
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data48
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data49
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data5
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data50
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data51
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data52
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data53
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data54
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data55
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data56
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data57
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data58
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data59
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data6
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data60
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data61
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data62
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data63
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data64
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data66
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data67
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data68
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data69
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data7
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data70
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data71
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data72
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data73
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data74
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data75
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data76
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data77
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data78
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data79
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data8
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data80
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data81
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data82
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data83
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data84
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data85
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data86
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data87
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data88
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data89
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data9
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data90
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data91
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data92
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data93
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data94
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data95
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data96
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data97
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data98
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\dats
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\EFSFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\HashFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Info
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\TOCFile
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\2\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\2\Data0
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data1
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data2
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data3
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data4
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data5
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\dats
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\EFSFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\HashFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Info
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\TOCFile
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\RENSYS06\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\RENSYS06\Application Data
Status: Invisible to the Windows API!

Path: c:\documents and settings\rensys06\local settings\temp\etilqs_ehum6hmv3p41ogkbwhpn
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\rensys06\local settings\temp\etilqs_u7bl5nx6796x6di1vgfr
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: \\?\C:\RRbackups\C\0\dats\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\0\dats\css.ini
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\dats\encobject.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\dats\swkeys.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\dats\symkeys.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\1\dats\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\1\dats\css.ini
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\dats\encobject.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\dats\swkeys.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\dats\symkeys.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\2\dats\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\2\dats\css.ini
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\dats\encobject.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\dats\swkeys.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\dats\symkeys.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\RENSYS06\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\RENSYS06\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\RENSYS06\Application Data\ThinkVantage
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\RENSYS06\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\RENSYS06\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\RENSYS06\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\RENSYS06\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\RENSYS06\Application Data\ThinkVantage\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\RENSYS06\Application Data\ThinkVantage\Client Security
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1053602588-800476074-3146919613-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2877637328-3157462673-177062991-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-446719557-4101429632-2586867459-500
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\css.ini
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\encobject.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\swkeys.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\symkeys.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1053602588-800476074-3146919613-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2877637328-3157462673-177062991-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-446719557-4101429632-2586867459-500
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\==EOF==

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:24 PM

Posted 25 October 2009 - 06:19 PM

Hello,looks like we need to run DRweb now. This will be a long scan. .

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 xfactor923

xfactor923
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 26 October 2009 - 06:00 PM

Wow, you weren't kidding, that was a long scan.

atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.565;Cured.;
7DD.tmp;C:\DOCUME~1\RENSYS06\LOCALS~1\Temp;Trojan.Fakealert.5224;Deleted.;
SKYNETaqbyulny.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Packed.2479;Incurable.Moved.;
A0033213.sys;C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP396;BackDoor.Tdss.565;Cured.;

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:24 PM

Posted 26 October 2009 - 09:36 PM

I know ,but it got two really bad guys. How is it running now? ComboFix appeared to get a rootkit.

Uninstall ComboFix

Remove Combofix now that we're done with it.
Click on your Start Menu, then Run....
Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".


When shown the disclaimer, Select "2"
This will remove files/folders assoicated with combofix and uninstall it.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Edited by boopme, 26 October 2009 - 09:36 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 xfactor923

xfactor923
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 26 October 2009 - 11:02 PM

I uninstalled ComboFix, but this part, "When shown the disclaimer, Select "2", never happened. Looked like it still uninstalled properly.

I ran the MalWare Bytes scan in normal mode after updating the program and it came up clean:

Malwarebytes' Anti-Malware 1.41
Database version: 3037
Windows 5.1.2600 Service Pack 2

10/26/2009 11:59:42 PM
mbam-log-2009-10-26 (23-59-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 164561
Time elapsed: 37 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:24 PM

Posted 27 October 2009 - 09:54 AM

Good,I take it all's running well now.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 xfactor923

xfactor923
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 27 October 2009 - 05:57 PM

Wow. That was a pretty painless process. Many thanks for your assistance.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:24 PM

Posted 27 October 2009 - 07:33 PM

Sometimes it is and glad it was for you.

You're most welcome,as new malware is getting stronger and harder to remove, please take a moment to read quietman7's excellent prevention tips in post 17 here
Click>>Tips to protect yourself against malware and reduce the potential for re-infection:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users