Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RootkitRepeal Scan Results


  • Please log in to reply
6 replies to this topic

#1 Berlewan

Berlewan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 11 August 2011 - 01:05 AM

There were no obvious problems with my Win Xp Pro SP3 system, but idly I ran RootkitRevealer and it reported 57 discrepancies. That caused me to run RKR which yielded a lot more information. The report follows and I should be very grateful for any help with the next step. Thanks a lot.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2011/08/11 01:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 1UnHooker.sys
Image Path: C:\WINDOWS\system32\DRIVERS\1UnHooker.sys
Address: 0xF7667000 Size: 36864 File Visible: - Signed: No
Status: -

Name: AuviUADFilter.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AuviUADFilter.sys
Address: 0xF77A7000 Size: 20864 File Visible: - Signed: No
Status: -

Name: AuviUATV.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AuviUATV.sys
Address: 0xAA09B000 Size: 1786752 File Visible: - Signed: No
Status: -

Name: AuviUDTV.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AuviUDTV.sys
Address: 0xA9EE8000 Size: 1780608 File Visible: - Signed: No
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9ED0000 Size: 98304 File Visible: No Signed: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A41000 Size: 8192 File Visible: No Signed: No
Status: -

Name: PQNTDrv.SYS
Image Path: C:\WINDOWS\System32\Drivers\PQNTDrv.SYS
Address: 0xF7B7E000 Size: 2688 File Visible: - Signed: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8ADB000 Size: 49152 File Visible: No Signed: No
Status: -

Hidden/Locked Files
-------------------
Path: Volume E:\
Status: MBR Rootkit Detected!

Path: Volume E:\, Sector 1
Status: Sector mismatch

Path: Volume E:\, Sector 2
Status: Sector mismatch

Path: Volume E:\, Sector 3
Status: Sector mismatch

Path: Volume E:\, Sector 4
Status: Sector mismatch

Path: Volume E:\, Sector 5
Status: Sector mismatch

Path: Volume E:\, Sector 6
Status: Sector mismatch

Path: Volume E:\, Sector 7
Status: Sector mismatch

Path: Volume E:\, Sector 8
Status: Sector mismatch

Path: Volume E:\, Sector 9
Status: Sector mismatch

Path: Volume E:\, Sector 10
Status: Sector mismatch

Path: Volume E:\, Sector 11
Status: Sector mismatch

Path: Volume E:\, Sector 12
Status: Sector mismatch

Path: Volume E:\, Sector 13
Status: Sector mismatch

Path: Volume E:\, Sector 14
Status: Sector mismatch

Path: Volume E:\, Sector 15
Status: Sector mismatch

Path: Volume E:\, Sector 16
Status: Sector mismatch

Path: Volume E:\, Sector 17
Status: Sector mismatch

Path: Volume E:\, Sector 18
Status: Sector mismatch

Path: Volume E:\, Sector 19
Status: Sector mismatch

Path: Volume E:\, Sector 20
Status: Sector mismatch

Path: Volume E:\, Sector 21
Status: Sector mismatch

Path: Volume E:\, Sector 22
Status: Sector mismatch

Path: Volume E:\, Sector 23
Status: Sector mismatch

Path: Volume E:\, Sector 24
Status: Sector mismatch

Path: Volume E:\, Sector 25
Status: Sector mismatch

Path: Volume E:\, Sector 26
Status: Sector mismatch

Path: Volume E:\, Sector 27
Status: Sector mismatch

Path: Volume E:\, Sector 28
Status: Sector mismatch

Path: Volume E:\, Sector 29
Status: Sector mismatch

Path: Volume E:\, Sector 30
Status: Sector mismatch

Path: Volume E:\, Sector 31
Status: Sector mismatch

Path: Volume E:\, Sector 32
Status: Sector mismatch

Path: Volume E:\, Sector 33
Status: Sector mismatch

Path: Volume E:\, Sector 34
Status: Sector mismatch

Path: Volume E:\, Sector 35
Status: Sector mismatch

Path: Volume E:\, Sector 36
Status: Sector mismatch

Path: Volume E:\, Sector 37
Status: Sector mismatch

Path: Volume E:\, Sector 38
Status: Sector mismatch

Path: Volume E:\, Sector 39
Status: Sector mismatch

Path: Volume E:\, Sector 40
Status: Sector mismatch

Path: Volume E:\, Sector 41
Status: Sector mismatch

Path: Volume E:\, Sector 42
Status: Sector mismatch

Path: Volume E:\, Sector 43
Status: Sector mismatch

Path: Volume E:\, Sector 44
Status: Sector mismatch

Path: Volume E:\, Sector 45
Status: Sector mismatch

Path: Volume E:\, Sector 46
Status: Sector mismatch

Path: Volume E:\, Sector 47
Status: Sector mismatch

Path: Volume E:\, Sector 48
Status: Sector mismatch

Path: Volume E:\, Sector 49
Status: Sector mismatch

Path: Volume E:\, Sector 50
Status: Sector mismatch

Path: Volume E:\, Sector 51
Status: Sector mismatch

Path: Volume E:\, Sector 52
Status: Sector mismatch

Path: Volume E:\, Sector 53
Status: Sector mismatch

Path: Volume E:\, Sector 54
Status: Sector mismatch

Path: Volume E:\, Sector 55
Status: Sector mismatch

Path: Volume E:\, Sector 56
Status: Sector mismatch

Path: Volume E:\, Sector 57
Status: Sector mismatch

Path: Volume E:\, Sector 58
Status: Sector mismatch

Path: Volume E:\, Sector 59
Status: Sector mismatch

Path: Volume E:\, Sector 60
Status: Sector mismatch

Path: Volume E:\, Sector 61
Status: Sector mismatch

Path: Volume E:\, Sector 62
Status: Sector mismatch

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cd9f60

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cd9af0

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cd9b40

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cd9f10

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cd9810

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cd98d0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cda180

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cda490

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cd9cd0

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cda320

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cd9be0

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xaa72f790

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cd9aa0

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xaa72f650

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xaa72f7d0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cd99b0

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xaa72f510

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\ehdrv.sys" at address 0xaa72f590

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cd9e80

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cda630

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cd9c80

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cda000

Shadow SSDT
-------------------
#: 007 Function Name: NtGdiAlphaBlend
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdaf70

#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdb190

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdb100

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdb360

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdaff0

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdaec0

#: 298 Function Name: NtGdiTransparentBlt
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdb090

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdae70

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdb4c0

#: 404 Function Name: NtUserGetForegroundWindow
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdad50

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdada0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdade0

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdae30

#: 483 Function Name: NtUserQueryWindow
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdb590

#: 508 Function Name: NtUserSetClipboardData
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdb470

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdb520

#: 592 Function Name: NtUserWindowFromPoint
Status: Hooked by "C:\WINDOWS\System32\drivers\pxrts.sys" at address 0xa9cdb620

==EOF==

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 11 August 2011 - 01:10 AM

Try this:

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Berlewan

Berlewan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 11 August 2011 - 10:14 AM

Thanks, Budapest. I ran TDSSKiller, but it found nothing.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,484 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:14 PM

Posted 11 August 2011 - 02:44 PM

The detection is on Volume E so what exactly is that drive used for...is it an external HD?

A MBR rootkit overwrites the Master Boot Record (MBR) of the hard disk with its own code and stores a copy of the original master boot record at another sector while using rootkit techniques to hide itself. The installer of the rootkit writes the content of a malicious kernel driver to the last sectors of the disk, and then modifies sectors 0 (MBR). The MBR rootkit can only execute itself if you boot from the primary hard disk (usually drive C:\).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Berlewan

Berlewan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 11 August 2011 - 07:09 PM

Hi quietman7,
Yes, as you suggest, it's an external HD.
Thank you for taking the trouble to explain how an MBR rootkit works. I understand, but superficially, since my background knowledge is very limited. From what you say, would I be wrong inferring that booting from a CD or memory stick might be one way of attacking this rotkit, somehow?
Tt's very kind of you to help.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,484 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:14 PM

Posted 12 August 2011 - 01:18 PM

You may have had the MBR rootkit on your primary drive at some point but the RR log does not provide enough information. There are more effective tools which create comprehensive logs that will tell us more accurately what's going on with your system so I suggest you go that route. Many of the tools we use in this forum are not capable of detecting (repairing/removing) all malware variants so more advanced tools are needed to investigate. Before that can be done you will need to create and post a DDS log for further investigation.


Please read the "Preparation Guide".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Berlewan

Berlewan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 13 August 2011 - 06:04 AM

Thank you, once again. The great amount of volunteer work that has gone into all this is very impressive. I will follow your instructions about posting the log elsewhere.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users