Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

my rootkit revealer logs


  • Please log in to reply
4 replies to this topic

#1 helpme80

helpme80

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:IL
  • Local time:12:30 AM

Posted 26 February 2010 - 04:32 PM

i recently ran rootkit revealer and this is what came up... can anyone tell me if this is ok or not?


HKLM\SECURITY\Policy\Secrets\SAC* 8/16/2005 11:01 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/16/2005 11:01 AM 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\josh\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\cookies.sqlite-journal 2/26/2010 2:24 PM 512 bytes Hidden from Windows API.
C:\Documents and Settings\josh\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\parent.lock 2/26/2010 2:24 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\josh\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\sessionstore.js 2/26/2010 2:36 PM 107.82 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\031D7A1Bd01 2/26/2010 2:31 PM 50.36 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\1FD5F091d01 2/26/2010 2:31 PM 16.40 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\2045E81Bd01 2/26/2010 2:31 PM 71.18 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\21551AB8d01 2/26/2010 2:31 PM 16.53 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\60810EA0d01 2/26/2010 2:33 PM 41.34 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\6BF41AB8d01 2/26/2010 2:31 PM 42.62 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\86CD53FCd01 2/26/2010 2:31 PM 17.17 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\97D5E4B9d01 2/26/2010 2:31 PM 88.09 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\B3EA4A89d01 2/26/2010 2:33 PM 481.51 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\BF1E1DD5d01 2/26/2010 2:31 PM 35.77 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\C0305210d01 2/26/2010 2:31 PM 16.17 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\C4AE7E59d01 2/26/2010 2:24 PM 20.30 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\D63D5125d01 2/26/2010 2:36 PM 17.77 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\E56BE59Fd01 2/26/2010 2:24 PM 27.47 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\E8BBA41Ad01 2/26/2010 2:31 PM 18.14 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\EBA10FE9d01 2/26/2010 2:36 PM 18.07 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\FCEDA41Ad01 2/26/2010 2:31 PM 16.46 KB Hidden from Windows API.
C:\Documents and Settings\josh\Local Settings\Application Data\Mozilla\Firefox\Profiles\o1pe0pmi.default\Cache\FF107C16d01 2/26/2010 2:31 PM 25.42 KB Hidden from Windows API.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP12\A0001235.mfl 2/26/2010 10:41 AM 1.09 MB Hidden from Windows API.


i did have a nasty trojan in my system restore file before... im wondering if its the same but when i run my enod32 antivirus nothing comes up.... and im not quite to sure how to interpret these logs on here.... on the website it says if a file is hidden from windows api it is usually a rootkit.....

any input would be much appreciated!!!! thanks for ur time!!!!!!

BC AdBot (Login to Remove)

 


#2 shrdt

shrdt

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 AM

Posted 26 February 2010 - 04:44 PM

first I thought this was a joke " My rootkits, let me show you them " like the internet meme

So I clicked and I see what you did thar.

have you tried running Malwarebytes?

I need to get a full copy of SashaCats copy&paste post, to save her a little time :3

#3 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 26 February 2010 - 04:50 PM

http://www.bleepingcomputer.com/forums/ind...rootkit+removal

Rootkit intervention in AII

Please note, Root Repeal is added to the list of allowed tools to be run in AII. This tool is to be used as a scanner only, and if there is an indication of a rootkit present in the machine the visitor should be referred to the malware removal section. As there are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by Malware Response Team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.

Only Malware Response Team members or above should be posting advice about this infection!
If we don't change the direction we are going,
We are likely to end up where we are headed.

#4 helpme80

helpme80
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:IL
  • Local time:12:30 AM

Posted 26 February 2010 - 05:45 PM

k here is rootrepeals findings.....





ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/02/26 16:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB4A6E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5EC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: RKREVEAL150.SYS
Image Path: C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS
Address: 0xBA5F6000 Size: 4128 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8668000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\josh\local settings\application data\mozilla\firefox\profiles\o1pe0pmi.default\cache\_cache_001_
Status: Size mismatch (API: 2468760, Raw: 2465153)

Path: c:\documents and settings\josh\local settings\application data\mozilla\firefox\profiles\o1pe0pmi.default\cache\_cache_003_
Status: Size mismatch (API: 4513896, Raw: 4499795)

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b3a420

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b3ac60

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b38a90

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b47cb0

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b38740

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b35320

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b35710

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b34de0

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b36ca0

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b37900

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b38410

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b39b40

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b48420

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b36630

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b35080

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b371c0

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b3a8a0

#: 145 Function Name: NtQueryDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b39fb0

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b3ae00

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b39690

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b47940

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b38060

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b38e80

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b376e0

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x89596bd0

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "<unknown>" at address 0x89593a90

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b37aa0

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b39a10

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b38240

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b37e60

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b37c90

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b36a30

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b374b0

#: 262 Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b39d70

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b3aa70

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b335c0

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b33940

#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b30470

#: 310 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b322b0

#: 319 Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b31df0

#: 324 Function Name: NtUserCallTwoParam
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b32e30

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b30f00

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b325b0

#: 401 Function Name: NtUserGetDC
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b33270

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b30dd0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b30ca0

#: 439 Function Name: NtUserGetWindowDC
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b33410

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b31030

#: 465 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b32950

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b315b0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b31a10

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b302f0

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b32050

#: 509 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b32450

#: 529 Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b32720

#: 546 Function Name: NtUserSetWindowPos
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b32ce0

#: 548 Function Name: NtUserSetWindowsHookAW
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b2fe10

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b2fa20

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b30080

#: 555 Function Name: NtUserShowWindow
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb4b32bf0

==EOF==

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:30 AM

Posted 26 February 2010 - 08:31 PM

Please read the pinned topic titled "Preparation Guide For Use Before Posting A DDS / HJT Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.


When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Removal Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

The MR team is very busy and it will take awhile to get to your post
Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users