Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Root Repeal log help


  • This topic is locked This topic is locked
2 replies to this topic

#1 bomber1712

bomber1712

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:07:16 PM

Posted 29 October 2009 - 09:41 PM

While working on a different issue on a different computer, I was advised to run ATF Cleaner, Dr Web, and Root Repeal. Since I was doing those things on one computer, I decided to run all on one of my other computers. I had used this computer as a home server. I had it "up" and online, serving a HTTP site and a FTP site. All of the files that I was sharing via the FTP were on the H: drive. The HTTP server and website was stored on the C: I experienced some performance issues with this setup, figured I got an infection, and used Macrium Reflect to restore the drive to an earlier (clean) image (see this post http://www.bleepingcomputer.com/forums/topic263368.html).

I have since taken the server offline, and closed all ports on my router. I thought everything was OK, but decided to run these diagnostics, anyway. I have run Dr. Web (safe mode), MBAM (safe and regular mode), SAS (safe mode), ATF Cleaner, and Root Repeal. Dr. Web, MBAM and SAS show no infections. But when I run Root Repeal, I get an error message:

"Root Repeal could not read boot sector. Try adjusting disk access level"

After the error message, it does give me a log file, and that's where I am really concerned. I don't know what all of this means (pretty sure it's not good!), but I know someone out there can let me know if I have a real issue.

Root Repeal Log:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/10/29 07:03
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3D69000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D75000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF2F31000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Prefetch\HPRBLOG.EXE-35C0D80C.pf
Status: Could not get file information (Error 0xc0000008)

Path: C:\WINDOWS\system32\drivers\sfi.dat
Status: Locked to the Windows API!

Path: Volume H:\
Status: MBR Rootkit Detected!

Path: Volume H:\, Sector 1
Status: Sector mismatch

Path: Volume H:\, Sector 2
Status: Sector mismatch

Path: Volume H:\, Sector 3
Status: Sector mismatch

Path: Volume H:\, Sector 4
Status: Sector mismatch

Path: Volume H:\, Sector 5
Status: Sector mismatch

Path: Volume H:\, Sector 6
Status: Sector mismatch

Path: Volume H:\, Sector 7
Status: Sector mismatch

Path: Volume H:\, Sector 8
Status: Sector mismatch

Path: Volume H:\, Sector 9
Status: Sector mismatch

Path: Volume H:\, Sector 10
Status: Sector mismatch

Path: Volume H:\, Sector 11
Status: Sector mismatch

Path: Volume H:\, Sector 12
Status: Sector mismatch

Path: Volume H:\, Sector 13
Status: Sector mismatch

Path: Volume H:\, Sector 14
Status: Sector mismatch

Path: Volume H:\, Sector 15
Status: Sector mismatch

Path: Volume H:\, Sector 16
Status: Sector mismatch

Path: Volume H:\, Sector 17
Status: Sector mismatch

Path: Volume H:\, Sector 18
Status: Sector mismatch

Path: Volume H:\, Sector 19
Status: Sector mismatch

Path: Volume H:\, Sector 20
Status: Sector mismatch

Path: Volume H:\, Sector 21
Status: Sector mismatch

Path: Volume H:\, Sector 22
Status: Sector mismatch

Path: Volume H:\, Sector 23
Status: Sector mismatch

Path: Volume H:\, Sector 24
Status: Sector mismatch

Path: Volume H:\, Sector 25
Status: Sector mismatch

Path: Volume H:\, Sector 26
Status: Sector mismatch

Path: Volume H:\, Sector 27
Status: Sector mismatch

Path: Volume H:\, Sector 28
Status: Sector mismatch

Path: Volume H:\, Sector 29
Status: Sector mismatch

Path: Volume H:\, Sector 30
Status: Sector mismatch

Path: Volume H:\, Sector 31
Status: Sector mismatch

Path: Volume H:\, Sector 32
Status: Sector mismatch

Path: Volume H:\, Sector 33
Status: Sector mismatch

Path: Volume H:\, Sector 34
Status: Sector mismatch

Path: Volume H:\, Sector 35
Status: Sector mismatch

Path: Volume H:\, Sector 36
Status: Sector mismatch

Path: Volume H:\, Sector 37
Status: Sector mismatch

Path: Volume H:\, Sector 38
Status: Sector mismatch

Path: Volume H:\, Sector 39
Status: Sector mismatch

Path: Volume H:\, Sector 40
Status: Sector mismatch

Path: Volume H:\, Sector 41
Status: Sector mismatch

Path: Volume H:\, Sector 42
Status: Sector mismatch

Path: Volume H:\, Sector 43
Status: Sector mismatch

Path: Volume H:\, Sector 44
Status: Sector mismatch

Path: Volume H:\, Sector 45
Status: Sector mismatch

Path: Volume H:\, Sector 46
Status: Sector mismatch

Path: Volume H:\, Sector 47
Status: Sector mismatch

Path: Volume H:\, Sector 48
Status: Sector mismatch

Path: Volume H:\, Sector 49
Status: Sector mismatch

Path: Volume H:\, Sector 50
Status: Sector mismatch

Path: Volume H:\, Sector 51
Status: Sector mismatch

Path: Volume H:\, Sector 52
Status: Sector mismatch

Path: Volume H:\, Sector 53
Status: Sector mismatch

Path: Volume H:\, Sector 54
Status: Sector mismatch

Path: Volume H:\, Sector 55
Status: Sector mismatch

Path: Volume H:\, Sector 56
Status: Sector mismatch

Path: Volume H:\, Sector 57
Status: Sector mismatch

Path: Volume H:\, Sector 58
Status: Sector mismatch

Path: Volume H:\, Sector 59
Status: Sector mismatch

Path: Volume H:\, Sector 60
Status: Sector mismatch

Path: Volume H:\, Sector 61
Status: Sector mismatch

Path: Volume H:\, Sector 62
Status: Sector mismatch

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4031d46

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4031250

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40318ea

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40322c2

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4031132

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4033254

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf403352c

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4030cf8

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4031f2c

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40320dc

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4030a5a

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4032ed6

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40314d4

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4031b2e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf403078a

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4031764

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4030902

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4032688

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40329f0

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4032c72

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4033084

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4032488

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf403146e

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4031658

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4030ffc

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4030eca

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4035308

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4035a2c

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf403543c

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40358ec

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf403557c

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40356b0

#: 310 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4035188

#: 319 Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40343da

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4034e58

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40357ea

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4034bc6

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4034d08

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf40348aa

#: 465 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4034112

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf403455c

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4034708

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4034fa8

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4034a6c

#: 509 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf403509e

#: 529 Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4034282

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4035a92

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4035cc6

==EOF==

Edited by bomber1712, 29 October 2009 - 09:45 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:16 PM

Posted 31 October 2009 - 08:36 PM

Status: MBR Rootkit Detected!
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4035a92


You know the drill
Make sure you let them know this is not the same computer

Now that you were successful in creating a Root Repeal log you need to post it in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that this log was all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck

Edited by garmanma, 31 October 2009 - 08:37 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:16 PM

Posted 31 October 2009 - 10:15 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/268405/mbr-rootkit-detected-hooked-by-cwindowssystem32driverscmdguardsys-at-address-0xf4035a92/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users