Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

%100 CPU and TR/Rootkit.Gen


  • Please log in to reply
5 replies to this topic

#1 naumoski

naumoski

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 21 April 2010 - 11:58 AM

Hi, my english isnt good but I ll try to explain my problem. When I connect to the internet, it seems CPU is %100. All about svchost.exe . When I close it, countdown starts from 60 sec and computer restart. I wrote shutdown -a and its closed. If I continue to use like this, is it harmful? By the way, I made system scan with Avira Antivir and it found TR/Rootkit.Gen . And all deleted. I dont know these 2 situations are different or about the same problem. But I cant connect to the internet without typing shutdown -a command. cpu

BC AdBot (Login to Remove)

 


#2 Eric ~ Computer Guy

Eric ~ Computer Guy

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas, TX
  • Local time:04:55 AM

Posted 21 April 2010 - 12:14 PM

Hi, my english isnt good but I ll try to explain my problem. When I connect to the internet, it seems CPU is %100. All about svchost.exe . When I close it, countdown starts from 60 sec and computer restart. I wrote shutdown -a and its closed. If I continue to use like this, is it harmful? By the way, I made system scan with Avira Antivir and it found TR/Rootkit.Gen . And all deleted. I dont know these 2 situations are different or about the same problem. But I cant connect to the internet without typing shutdown -a command. cpu


Have you run Malwarebytes or SuperAntiSpyware?

#3 naumoski

naumoski
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 21 April 2010 - 12:20 PM

No, just used Avira Antivir.

#4 Eric ~ Computer Guy

Eric ~ Computer Guy

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas, TX
  • Local time:04:55 AM

Posted 21 April 2010 - 12:34 PM

I'm not a staffer, so if a mod or such steps in, they will be in charge.

Until then, I'd say try running Malwarebytes and copy/paste the log here. Someone that can refer you to the right place will have a look at it.

Try to run it in Normal Mode if possible. If not, Safe Mode with Networking will have to do.

I think you will see results since the Rootkit turned up in a scan. If a scanner is able to find it, that means it isn't actively hooking or being hidden, meaning it could be removed using conventional scanners, like Malwarebytes.

Edited by Eric ~ Computer Guy, 21 April 2010 - 12:35 PM.


#5 naumoski

naumoski
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 21 April 2010 - 01:02 PM

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/21/2010 20:56:47
mbam-log-2010-04-21 (20-56-47).txt

Scan type: Quick scan
Objects scanned: 104171
Time elapsed: 7 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\genel\Application Data\avdrn.dat (Malware.Trace) -> No action taken.

#6 naumoski

naumoski
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 21 April 2010 - 01:06 PM

By the way this is the first Avira scan report if it needs. It found '0' in second scan.
Avira AntiVir Personal
Scanning for 1867270 virus strains and unwanted programs.

Version information:
BUILD.DAT : 10.0.0.561 32098 Bytes 3/18/2010 15:46:00
AVSCAN.EXE : 10.0.2.3 433832 Bytes 3/7/2010 15:57:10
AVSCAN.DLL : 10.0.2.2 45928 Bytes 3/2/2010 10:48:47
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 16:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/10/2010 21:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 10:09:31
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 10:09:32
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 15:44:28
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 22:10:03
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 11:40:32
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 11:40:32
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 11:40:32
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 11:40:32
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 11:40:33
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 11:40:33
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 11:40:33
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 11:40:33
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 11:40:34
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 19:03:25
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 19:03:25
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 19:03:26
VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 13:06:27
VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 13:06:28
VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 13:06:28
VBASE019.VDF : 7.10.5.122 2048 Bytes 3/18/2010 11:01:24
VBASE020.VDF : 7.10.5.123 2048 Bytes 3/18/2010 11:01:24
VBASE021.VDF : 7.10.5.124 2048 Bytes 3/18/2010 11:01:24
VBASE022.VDF : 7.10.5.125 2048 Bytes 3/18/2010 11:01:24
VBASE023.VDF : 7.10.5.126 2048 Bytes 3/18/2010 11:01:24
VBASE024.VDF : 7.10.5.127 2048 Bytes 3/18/2010 11:01:24
VBASE025.VDF : 7.10.5.128 2048 Bytes 3/18/2010 11:01:24
VBASE026.VDF : 7.10.5.129 2048 Bytes 3/18/2010 11:01:24
VBASE027.VDF : 7.10.5.130 2048 Bytes 3/18/2010 11:01:24
VBASE028.VDF : 7.10.5.131 2048 Bytes 3/18/2010 11:01:24
VBASE029.VDF : 7.10.5.132 2048 Bytes 3/18/2010 11:01:24
VBASE030.VDF : 7.10.5.133 2048 Bytes 3/18/2010 11:01:25
VBASE031.VDF : 7.10.5.134 16384 Bytes 3/18/2010 11:01:25
Engineversion : 8.2.1.194
AEVDF.DLL : 8.1.1.3 106868 Bytes 1/24/2010 15:44:40
AESCRIPT.DLL : 8.1.3.18 1024378 Bytes 3/17/2010 09:09:47
AESCN.DLL : 8.1.5.0 127347 Bytes 2/27/2010 10:47:01
AESBX.DLL : 8.1.2.1 254323 Bytes 3/20/2010 13:06:46
AERDL.DLL : 8.1.4.3 541043 Bytes 3/20/2010 13:06:44
AEPACK.DLL : 8.2.1.0 426356 Bytes 3/2/2010 13:01:39
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/20/2010 13:06:40
AEHEUR.DLL : 8.1.1.13 2470262 Bytes 3/17/2010 09:09:46
AEHELP.DLL : 8.1.10.2 237941 Bytes 3/20/2010 13:06:33
AEGEN.DLL : 8.1.2.2 373107 Bytes 3/17/2010 09:09:45
AEEMU.DLL : 8.1.1.0 393587 Bytes 10/7/2009 22:02:08
AECORE.DLL : 8.1.12.3 188789 Bytes 3/20/2010 13:06:31
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 12:32:40
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 10:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 10:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 14:47:40
AVREG.DLL : 10.0.1.2 52072 Bytes 1/29/2010 09:47:41
AVSCPLR.DLL : 10.0.2.3 83304 Bytes 3/7/2010 16:02:30
AVARKT.DLL : 10.0.0.13 227176 Bytes 3/7/2010 15:48:41
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 07:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 10:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 13:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 12:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 11:10:20
RCTEXT.DLL : 10.0.46.0 97128 Bytes 3/5/2010 08:09:41

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Çarşamba, Nisan 21, 2010 14:31

Starting search for hidden objects.
c:\windows\repair\backup\servicestate\configdirectory\driversc.evt
c:\WINDOWS\repair\Backup\ServiceState
[NOTE] The file is not visible.
c:\windows\repair\backup\servicestate\configdirectory\tempkey.log
c:\WINDOWS\repair\Backup\ServiceState
[NOTE] The file is not visible.
c:\windows\repair\backup\servicestate\configdirectory\userdiff
c:\WINDOWS\repair\Backup\ServiceState
[NOTE] The file is not visible.
c:\windows\repair\backup\servicestate\configdirectory\userdiff.log
c:\WINDOWS\repair\Backup\ServiceState
[NOTE] The file is not visible.
c:\windows\repair\backup\servicestate\eventlogs\appevent.evt
c:\WINDOWS\repair\Backup\ServiceState
[NOTE] The file is not visible.
c:\windows\repair\backup\servicestate\eventlogs\driverscanner.evt
c:\WINDOWS\repair\Backup\ServiceState
[NOTE] The file is not visible.
c:\windows\repair\backup\servicestate\eventlogs\secevent.evt
c:\WINDOWS\repair\Backup\ServiceState
[NOTE] The file is not visible.
c:\windows\repair\backup\servicestate\eventlogs\sysevent.evt
c:\WINDOWS\repair\Backup\ServiceState
[NOTE] The file is not visible.
c:\windows\repair\backup\servicestate\removablestoragemanager\ntmsdata
c:\WINDOWS\repair\Backup\ServiceState
[NOTE] The file is not visible.
c:\windows\repair\backup\servicestate\removablestoragemanager\ntmsreg
c:\WINDOWS\repair\Backup\ServiceState
[NOTE] The file is not visible.
c:\windows\repair\backup\servicestate\configdirectory
c:\WINDOWS\repair\Backup\ServiceState
[NOTE] The directory is not visible.
c:\windows\repair\backup\servicestate\eventlogs
c:\WINDOWS\repair\Backup\ServiceState
[NOTE] The directory is not visible.
c:\windows\repair\backup\servicestate\removablestoragemanager
c:\WINDOWS\repair\Backup\ServiceState
[NOTE] The directory is not visible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NtmsSvc\Config\Standalone\drivelist
[NOTE] The registry entry is invisible.

The scan of running processes will be started
Scan process 'rsmsink.exe' - '27' Module(s) have been scanned
Scan process 'msdtc.exe' - '39' Module(s) have been scanned
Scan process 'dllhost.exe' - '58' Module(s) have been scanned
Scan process 'dllhost.exe' - '44' Module(s) have been scanned
Scan process 'vssvc.exe' - '47' Module(s) have been scanned
Scan process 'avscan.exe' - '67' Module(s) have been scanned
Scan process 'avcenter.exe' - '58' Module(s) have been scanned
Scan process 'taskmgr.exe' - '33' Module(s) have been scanned
Scan process 'wmiapsrv.exe' - '44' Module(s) have been scanned
Scan process 'alg.exe' - '31' Module(s) have been scanned
Scan process 'AirTies_util3.exe' - '47' Module(s) have been scanned
Scan process 'jusched.exe' - '20' Module(s) have been scanned
Scan process 'avgnt.exe' - '46' Module(s) have been scanned
Scan process 'winampa.exe' - '18' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'Monitor.exe' - '22' Module(s) have been scanned
Scan process 'OpwareSE4.exe' - '13' Module(s) have been scanned
Scan process 'hkcmd.exe' - '27' Module(s) have been scanned
Scan process 'igfxtray.exe' - '27' Module(s) have been scanned
Scan process 'tcpsvcs.exe' - '31' Module(s) have been scanned
Scan process 'Explorer.EXE' - '89' Module(s) have been scanned
Scan process 'jqs.exe' - '85' Module(s) have been scanned
Scan process 'hsssrv.exe' - '41' Module(s) have been scanned
Scan process 'avshadow.exe' - '24' Module(s) have been scanned
Scan process 'openvpnas.exe' - '25' Module(s) have been scanned
Scan process 'avguard.exe' - '52' Module(s) have been scanned
Scan process 'netdde.exe' - '25' Module(s) have been scanned
Scan process 'sched.exe' - '41' Module(s) have been scanned
Scan process 'spoolsv.exe' - '53' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '26' Module(s) have been scanned
Scan process 'svchost.exe' - '150' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '53' Module(s) have been scanned
Scan process 'lsass.exe' - '57' Module(s) have been scanned
Scan process 'services.exe' - '35' Module(s) have been scanned
Scan process 'winlogon.exe' - '62' Module(s) have been scanned
Scan process 'csrss.exe' - '13' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '435' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\genel\Belgelerim\Downloads\Ensiferum Discografia [www.heavytorrents.org]\2001 - Ensiferum\01 - Intro.mp3
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\Documents and Settings\genel\Belgelerim\Downloads\Ensiferum Discografia [www.heavytorrents.org]\2001 - Ensiferum\03 - Token of Time.mp3
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\Documents and Settings\genel\Belgelerim\Downloads\Ensiferum Discografia [www.heavytorrents.org]\2001 - Ensiferum\04 - Guardians of Fate.mp3
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\Documents and Settings\genel\Belgelerim\Downloads\Ensiferum Discografia [www.heavytorrents.org]\2001 - Ensiferum\06 - Little Dreamer (Väinämöinen, Pt. 2).mp3
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\Documents and Settings\genel\Belgelerim\Downloads\Ensiferum Discografia [www.heavytorrents.org]\2001 - Ensiferum\09 - Treacherous Gods.mp3
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\Documents and Settings\genel\Belgelerim\Downloads\Ensiferum Discografia [www.heavytorrents.org]\2001 - Ensiferum\12 - Goblin's Dance [-].mp3
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\WINDOWS\system32\drivers\aauikqfc.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\WINDOWS\system32\drivers\kyoqk.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\WINDOWS\system32\drivers\tryuunsp.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\WINDOWS\system32\drivers\wshodre.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan

Beginning disinfection:
C:\WINDOWS\system32\drivers\wshodre.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '46be5636.qua'.
C:\WINDOWS\system32\drivers\tryuunsp.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5e587990.qua'.
C:\WINDOWS\system32\drivers\kyoqk.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '0c7d2370.qua'.
C:\WINDOWS\system32\drivers\aauikqfc.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '6a346c8a.qua'.
C:\Documents and Settings\genel\Belgelerim\Downloads\Ensiferum Discografia [www.heavytorrents.org]\2001 - Ensiferum\12 - Goblin's Dance [-].mp3
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '281d4145.qua'.
C:\Documents and Settings\genel\Belgelerim\Downloads\Ensiferum Discografia [www.heavytorrents.org]\2001 - Ensiferum\09 - Treacherous Gods.mp3
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5706732f.qua'.
C:\Documents and Settings\genel\Belgelerim\Downloads\Ensiferum Discografia [www.heavytorrents.org]\2001 - Ensiferum\06 - Little Dreamer (Väinämöinen, Pt. 2).mp3
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '1bbe5f67.qua'.
C:\Documents and Settings\genel\Belgelerim\Downloads\Ensiferum Discografia [www.heavytorrents.org]\2001 - Ensiferum\04 - Guardians of Fate.mp3
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '67a61f35.qua'.
C:\Documents and Settings\genel\Belgelerim\Downloads\Ensiferum Discografia [www.heavytorrents.org]\2001 - Ensiferum\03 - Token of Time.mp3
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4afc3079.qua'.
C:\Documents and Settings\genel\Belgelerim\Downloads\Ensiferum Discografia [www.heavytorrents.org]\2001 - Ensiferum\01 - Intro.mp3
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '53940be7.qua'.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users