Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by unknown rootkit


  • This topic is locked This topic is locked
2 replies to this topic

#1 grayfox_

grayfox_

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 09 December 2009 - 02:14 AM

Hi BP.com :D

I found your site by google where a very helpful member explained in about 4 pages of detailed instructions to a person who was able, by specifically following the given instructions, to remove some nasty rootkits from their system.

I wonder if someone would help me? It would be greatly appreciated.

Running XP sp3, and am infected with some unknown rootkit.. It will 'mangle' with specific programs that are on inserted thumb drives, for example RootRepeal.exe will look something like a little box: [] and I will not be able to run it or copy it from the thumbdrive.

Even renaming RootRepeal.exe to something random like asdf7.exe did not help, but this method of renaming was able to get some other Rootkit software working when it was also disabled. I hope I don't sound too confusing.

Ive tried Combofix several times (and in safe mode), avast boot scan (latest beta which AFAIK detects rootkits), and other software like UnHackMe, F-Secure Blacklight, etc, etc....

Also disabled system restore..

As previously stated, I could not get RootRepeal to run in normal mode so am unable to produce that log. dds worked and the log is below:

EDIT: Managed to get RootRepeal to work through renaming :( Log is attached as "Ark.txt"

Please note that I renamed RootRepeal.exe to "__341516.exe" so this may account for the hidden driver with the same name. Im not sure.


EDIT: Additional Info:

I have experienced multiple blue screens, with codes:

0x00000050 "win32k.sys"
and
0x0000008E

I read somewhere they might be caused by "Haxdoor" rootkit ?

---
dds.txt
---

DDS (Ver_09-12-01.01) - NTFSx86
Run by My Computer at 14:57:32.15 on Wed 09/12/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.3070.2691 [GMT 8:00]

AV: avast! Internet Security *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *enabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\afwServ.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Documents and Settings\My Computer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?rls=ig
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259743202765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: psfus - c:\windows\system32\psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mycomp~1\applic~1\mozilla\firefox\profiles\z1j32ntu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?rls=ig
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.1 beta 1\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.1 beta 1\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2009-12-5 186064]
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-1-7 20744]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2009-12-5 100432]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2009-12-5 269904]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-12-5 149840]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-5 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2009-12-5 40384]
R2 avast! Firewall;avast! Firewall;c:\program files\alwil software\avast5\afwServ.exe [2009-12-5 119200]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-12-2 54752]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2009-12-5 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2009-12-5 40384]
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.sys [2006-7-19 21376]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-2 1684736]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-7 30088]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-7-2 26248]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-12-9 34760]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2009-12-9 24416]
S3 SDTHelper;Helper driver for SDT-Tool;f:\radix_installer\SDTHLPR.sys [2009-9-14 13545]

=============== Created Last 30 ================

2009-12-09 05:56:53 0 d-----w- c:\docume~1\alluse~1\applic~1\fssg
2009-12-09 05:56:49 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2009-12-09 05:55:29 0 d-----w- c:\program files\F-Secure
2009-12-09 05:35:37 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-09 03:34:00 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-12-09 03:10:43 2 --shatr- c:\windows\winstart.bat
2009-12-09 03:10:19 35040 ----a-w- c:\windows\system32\Partizan.exe
2009-12-09 03:10:19 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-12-09 03:10:05 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-12-09 03:10:00 0 d-----w- c:\program files\UnHackMe
2009-12-09 02:37:40 0 d-sha-r- C:\cmdcons
2009-12-09 01:31:23 98816 ----a-w- c:\windows\sed.exe
2009-12-09 01:31:23 77312 ----a-w- c:\windows\MBR.exe
2009-12-09 01:31:23 260096 ----a-w- c:\windows\PEV.exe
2009-12-09 01:31:23 161792 ----a-w- c:\windows\SWREG.exe
2009-12-08 06:16:09 0 d-----w- c:\docume~1\alluse~1\applic~1\BurstCopy Labs
2009-12-05 05:38:04 269904 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2009-12-05 05:38:03 100432 ----a-w- c:\windows\system32\drivers\aswFW.sys
2009-12-05 05:37:13 186064 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2009-12-05 05:37:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2009-12-05 04:56:28 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-05 04:56:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-05 04:56:23 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-12-05 04:47:50 0 d-----w- c:\docume~1\mycomp~1\applic~1\Malwarebytes
2009-12-05 04:47:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-02 08:05:51 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-12-02 08:01:27 0 d-----w- c:\program files\Windows Live SkyDrive
2009-12-02 07:51:04 0 d-----w- c:\temp\1.00.18ST
2009-12-02 07:50:58 0 d-----w- c:\temp\tconsole
2009-12-02 07:50:29 98304 ----a-w- c:\windows\system32\TCtrlCommon.dll
2009-12-02 07:50:29 73728 ----a-w- c:\windows\system32\TDispVol.exe
2009-12-02 07:50:29 45056 ----a-w- c:\windows\system32\TDispVol.dll
2009-12-02 07:50:13 0 d-----w- c:\temp\thotkeyutility
2009-12-02 07:49:57 0 d-----w- c:\temp\tcontrols
2009-12-02 07:43:10 77824 ----a-w- c:\windows\system32\tosmreg.exe
2009-12-02 07:43:10 7671 ----a-w- c:\windows\system32\cseltbl.ini
2009-12-02 07:43:10 491520 ----a-w- c:\windows\system32\cselect.exe
2009-12-02 07:43:10 45056 ----a-w- c:\windows\system32\csellang.dll
2009-12-02 07:43:10 128113 ----a-w- c:\windows\system32\csellang.ini
2009-12-02 07:43:10 10152 ----a-w- c:\windows\system32\tosmreg.ini
2009-12-02 07:43:10 0 d-----w- c:\program files\ltmoh
2009-12-02 07:42:55 9216 ----a-w- c:\windows\system32\agrsmsvc.exe
2009-12-02 07:42:55 13312 ----a-w- c:\windows\system32\agrscoin.dll
2009-12-02 07:38:35 0 d-sh--w- c:\documents and settings\my computer\IECompatCache
2009-12-02 07:37:52 0 d-sh--w- c:\documents and settings\my computer\IETldCache
2009-12-02 07:35:31 32 ----a-w- c:\windows\0
2009-12-02 07:35:31 0 ----a-w- c:\windows\system32\0
2009-12-02 07:35:28 90624 ----a-w- c:\windows\system32\nmwcdcls.dll
2009-12-02 07:35:28 0 d-----w- c:\program files\Nokia
2009-12-02 07:35:24 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-12-02 07:35:19 0 d-----w- c:\program files\PC Connectivity Solution
2009-12-02 07:34:38 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-02 07:34:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-02 07:34:07 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-02 07:34:07 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-02 07:34:07 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-02 07:34:07 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-12-02 07:34:07 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-12-02 07:26:41 53248 ----a-w- c:\windows\_detmp.4
2009-12-02 07:26:41 42152 ----a-w- c:\windows\_detmp.3
2009-12-02 07:21:21 135168 ------w- c:\windows\system32\RtlCPAPI.dll
2009-12-02 07:20:56 69632 ------w- c:\windows\Alcmtr.exe
2009-12-02 07:19:49 0 d-----w- c:\temp\chipset
2009-12-02 07:18:57 0 d-----w- c:\temp\sound
2009-12-02 07:04:01 53248 ----a-w- c:\windows\_detmp.2
2009-12-02 07:04:01 42269 ----a-w- c:\windows\_detmp.1
2009-12-02 06:56:11 0 d-----w- c:\temp\SA200_Synaptics_TouchPad_7920_XP
2009-12-02 06:55:11 0 d-----w- c:\temp\modem
2009-12-02 06:54:46 0 d-----w- C:\temp
2009-12-02 06:00:19 266240 ------w- c:\windows\system32\RTSndMgr.Cpl
2009-12-02 05:16:11 101120 -c--a-w- c:\windows\system32\dllcache\bthpan.sys
2009-12-02 05:16:11 101120 ----a-w- c:\windows\system32\drivers\bthpan.sys
2009-12-02 05:15:59 59136 -c--a-w- c:\windows\system32\dllcache\rfcomm.sys
2009-12-02 05:15:59 59136 ----a-w- c:\windows\system32\drivers\rfcomm.sys
2009-12-02 05:15:59 17024 -c--a-w- c:\windows\system32\dllcache\bthenum.sys
2009-12-02 05:15:59 17024 ----a-w- c:\windows\system32\drivers\BthEnum.sys
2009-12-02 05:15:58 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2009-12-02 05:15:58 8192 ----a-w- c:\windows\system32\wshirda.dll
2009-12-02 05:15:58 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll
2009-12-02 05:15:58 28160 ----a-w- c:\windows\system32\irmon.dll
2009-12-02 05:15:58 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe
2009-12-02 05:15:58 151552 ----a-w- c:\windows\system32\irftp.exe
2009-12-02 05:15:47 18944 -c--a-w- c:\windows\system32\dllcache\bthusb.sys
2009-12-02 05:15:47 18944 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS
2009-12-02 05:11:18 0 d-----w- C:\Intel
2009-12-02 04:37:56 0 d-----w- c:\windows\system32\XPSViewer
2009-12-02 04:37:32 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-12-02 04:37:32 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-12-02 04:37:32 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-12-02 04:37:32 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-12-02 04:37:32 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-12-02 04:37:32 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-12-02 04:37:32 117760 ------w- c:\windows\system32\prntvpt.dll
2009-12-02 04:37:32 0 d-----w- C:\f84e42f66e39f8e9d5
2009-12-02 04:13:09 43392 ----a-w- c:\windows\system32\drivers\Tvs.sys
2009-12-02 04:13:09 36736 ----a-w- c:\windows\system32\drivers\CSIIDecoder_kern_i386.sys
2009-12-02 04:13:09 29184 ----a-w- c:\windows\system32\drivers\TSXT_kern_i386.sys
2009-12-02 04:13:09 26880 ----a-w- c:\windows\system32\drivers\WOWHD_kern_i386.sys
2009-12-02 04:13:03 0 d-----w- C:\Virtual Sound.temp
2009-12-02 04:11:47 176 ------w- c:\windows\system32\drivers\RTHDAEQ1.dat
2009-12-02 04:11:47 176 ------w- c:\windows\system32\drivers\RTHDAEQ0.dat
2009-12-02 04:09:17 0 d-----w- c:\program files\RSA
2009-12-02 04:09:13 0 d-----w- c:\program files\Protector Suite QL
2009-12-02 04:04:31 49152 ----a-w- c:\windows\system32\TosBthSupport.dll
2009-12-02 04:04:31 0 d-----w- c:\program files\TOSHIBA
2009-12-02 04:04:30 8573 ----a-w- c:\windows\system32\drivers\TOSRFEC.SYS
2009-12-02 04:03:54 0 d-----w- C:\bt
2009-12-02 02:23:59 358944 ----a-w- c:\windows\vncutil.exe
2009-12-02 02:23:57 48672 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2009-12-02 02:23:57 129568 ----a-w- c:\windows\RtkAudioService.exe
2009-12-02 02:23:55 1684736 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2009-12-02 02:23:55 1389056 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2009-12-02 02:21:50 0 d-----w- c:\windows\tiinst
2009-12-02 02:21:05 1904 ------w- c:\windows\system32\SetupBD.din
2009-12-02 02:17:14 53248 ----a-w- c:\windows\system32\CSVer.dll
2009-12-02 02:16:29 675840 ----a-w- c:\windows\system32\SET36.tmp
2009-12-02 02:02:26 0 d-----w- c:\docume~1\alluse~1\applic~1\UIB
2009-12-02 01:51:33 0 d-----w- c:\program files\Driver-Soft
2009-12-02 01:19:58 0 d-----w- C:\48788cb77d62e408c2
2009-12-02 01:19:52 146650 ----a-w- c:\windows\system32\BuzzingBee.wav
2009-12-02 01:19:51 940794 ----a-w- c:\windows\system32\LoopyMusic.wav
2009-12-02 00:50:19 0 d-----w- c:\windows\system32\KB905474
2009-12-02 00:50:03 0 d-----w- c:\windows\ie8updates
2009-12-01 08:40:29 46456 ----a-r- c:\windows\system32\exitwx.exe
2009-12-01 08:11:07 0 d-----w- c:\windows\system32\AGEIA
2009-12-01 08:11:00 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-01 08:10:43 202019 ----a-w- c:\windows\system32\nvapps.nvb
2009-12-01 07:56:00 5504 -c--a-w- c:\windows\system32\dllcache\intelide.sys
2009-12-01 07:56:00 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2009-12-01 06:32:27 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-12-01 06:31:35 0 d-----w- c:\docume~1\mycomp~1\applic~1\Windows Search
2009-12-01 06:30:56 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-12-01 06:26:53 17408 ----a-r- c:\windows\system32\EtCo32.dll
2009-12-01 06:26:53 163840 ----a-r- c:\windows\system32\e1000msg.dll
2009-12-01 06:26:52 2790 ----a-r- c:\windows\system32\e1e5132.din
2009-12-01 06:26:52 21504 ----a-r- c:\windows\system32\NicIn32.dll
2009-12-01 06:26:52 20480 ----a-r- c:\windows\system32\NicCo32.dll
2009-12-01 06:26:52 179200 ----a-r- c:\windows\system32\drivers\e1e5132.sys
2009-12-01 06:26:52 126976 ----a-r- c:\windows\system32\Prounstl.exe

==================== Find3M ====================

2009-11-17 12:27:14 1833504 ----a-w- c:\windows\SkyTel.exe
2009-11-02 05:48:02 831488 ----a-w- c:\windows\RtlExUpd.dll
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-22 11:59:32 182784 ----a-w- c:\windows\system32\Ncs2Setp.dll
2009-10-22 11:23:42 730744 ----a-w- c:\windows\system32\ncs2dmix.dll
2009-10-22 11:23:40 513144 ----a-w- c:\windows\system32\accesor.dll
2009-10-22 10:53:44 128120 ----a-w- c:\windows\system32\ncs2instutility.dll
2009-10-22 10:30:20 1693304 ----a-w- c:\windows\system32\ncscolib.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-14 04:29:54 30880 ----a-w- c:\windows\system32\drivers\iqvw32.sys
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-10 19:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 06:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 06:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 06:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-29 05:53:54 244376 ----a-w- c:\windows\system32\PRONtObj.dll
2009-09-15 19:19:34 2756608 ----a-w- c:\windows\system32\NETw5r32.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll

============= FINISH: 14:57:53.12 ===============

I would really appreciate any help with this. Im confident and willing to follow exact, specific instructions with regards to this issue.

Please find attached the zipped 'attach.txt' from dds and "Ark.txt" from RootRepeal.

Thanks very much :(

Attached Files


Edited by grayfox_, 09 December 2009 - 03:21 AM.


BC AdBot (Login to Remove)

 


#2 grayfox_

grayfox_
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:18 AM

Posted 14 December 2009 - 01:41 AM

Decided to restore the system to a premade image. Thanks all the same :(

If anyone reads this, it would be much appreciated to know: What is currently a good software/s for the detection and elimination of rootkits?
I heard that ComboFix used to be pretty good, however it was unable to remove the above ^.

GMER? Full scan?

Thats all I want to know ;)

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:18 AM

Posted 14 December 2009 - 07:26 PM

Topic closed per OP's request

In answer to your question there isn't any single tool to use
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users