Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan keeps reappearing


  • Please log in to reply
4 replies to this topic

#1 rpolly

rpolly

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 26 October 2009 - 09:37 PM

I have read about this on other forums but it seems that each person needs an individual solution. Somehow today I aquired a trojan. McAfee didn't find it at all. Windows Defender called it win32:renos.jm but when I go to remove it, it simply comes back upon restart. I tried to download a few other programs and try them but they stop working and then do not allow me to open them back up. StopZilla found 8 threats. One was Antispyware 2009 which Stopzilla removed. The other 7 are Win32Kstream which StopZilla removes but when I restart they come right back.

How can I get these off my system?

Thanks
Ryan

Edit: Moved topic from Vista to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:20 AM

Posted 26 October 2009 - 10:21 PM

Sounds like you may have a rootkit. Let's rule that out first

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Rhett Trappman

Rhett Trappman

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 AM

Posted 27 October 2009 - 10:46 AM

Try using MalwareBytes, download it here, install it and update it.

Then run a "Full System" Scan and remove all the threats it finds.
Good Luck...
Rhett Trappman
MyAntispyware.com Forum Security Team and Moderator

#4 rpolly

rpolly
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 28 October 2009 - 06:51 AM

RE: Rootrepeal

Here is the logs. I cannot seem to get the complete file log. It freezes on the program files. I did manage to capture the system files which I included below. Everytime I run it to include "Files" it crashes. Here is what I have:

I tried downloading the malwarebytes as suggested and it doesn't work. It just stops scanning and then on a second attempt to open it just says that I do not have permission to open.

Any help would be grately appreciated.

Ryan

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/28 07:45
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x8FC0B000 Size: 851968 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xABFAF000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\Windows\win32k.sys:1
Address: 0x8FD6F000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\Windows\win32k.sys:2
Address: 0x8FD74000 Size: 61440 File Visible: No Signed: -
Status: -

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1300 Status: Locked to the Windows API!

==EOF==


Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a119d219-c27a-11de-a832-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b66c8803-a703-11de-abec-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b66c881e-a703-11de-abec-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b66c8824-a703-11de-abec-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ca51b463-a645-11de-90ed-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ca51b4bc-a645-11de-90ed-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{146e4f75-c282-11de-8a67-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{146e4f7a-c282-11de-8a67-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{1873635e-c102-11de-a403-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{54d0afd3-befc-11de-99c5-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{90ab9865-a69b-11de-9f0a-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{def79602-a633-11de-923a-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{def797d8-a633-11de-923a-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{def798a6-a633-11de-923a-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ed6872fb-c27c-11de-b5a4-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{f4d5c20b-be50-11de-9c28-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{fd80b4d7-c278-11de-96f6-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{fd80b4db-c278-11de-96f6-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{55b5393a-afa8-11de-aaaf-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{66efca14-aa2b-11de-8a92-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{66efca27-aa2b-11de-8a92-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6b23f868-c27f-11de-a015-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{7b333c1d-be36-11de-af34-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{031e7782-a6a0-11de-8943-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{031e778a-a6a0-11de-8943-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{11a17905-a70a-11de-b982-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{388e9836-a768-11de-abd7-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{388e984c-a768-11de-abd7-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{49b2bca1-b1de-11de-8987-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{031e7779-a6a0-11de-8943-002564477d51}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

#5 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:20 AM

Posted 28 October 2009 - 07:51 AM

Name: win32k.sys:1
Image Path: C:\Windows\win32k.sys:1
Address: 0x8FD6F000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\Windows\win32k.sys:2
Address: 0x8FD74000 Size: 61440 File Visible: No Signed: -
Status: -


You have one of the newer rootkits. The only way to guarantee cleaning your computer is by running advanced tools that can only be used in the HJT forum. Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users