Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Request help please.


  • Please log in to reply
15 replies to this topic

#1 Nancy9108

Nancy9108

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:03:11 PM

Posted 19 October 2012 - 08:21 AM

I am a total novice, however I was able to scan with gmer and I have a log that I need someone familiar with reading the results to see if I have a rootkit. The only thing I see is a "root-like behavior" however it is on a 00 sector on a harddrive. A week ago I received a message from Norton saying it could not delete hacktool.rootkit. I shut down the computer and sent it to a computer repair company. They said they ran 10 virus scan programs and that the rootkit is gone. I just want to make sure. I have also run Kaspersky TDSS killer and it came up with suspecious activity on 11 files and I quaranteed these. (not knowing anything else to do) Was not sure if I should delete because I am not that knowledgeable about it. According to the instructions I could either "skip" them or quarante them, which is what I decided to do.

I have run Gmer and have a log saved to my desk top. Is there anyone out there that can look at the log and see if I have any rootkit problem? I would sure appreciate it. I have a quadriplegic son on life support and this computer is extremely important to working with the Drs that help my son. I just can not afford to have private information hacked. I have reinstalled Norton Internet Security rather than using the comcast free one.

Any other advice from someone as to how to make sure I don't have any rootkit (especially hacktool.rootkit) on my computer anymore?

Thank you.

Nancy

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:11 PM

Posted 19 October 2012 - 09:29 AM

Hello Nancy, I moved this from XP to the Am I Infected forum.
Please post the logs here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Nancy9108

Nancy9108
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:03:11 PM

Posted 21 October 2012 - 10:48 AM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-18 23:20:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-14 rev.
Running: m0e57n9y GMER.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kgdcapow.sys


---- System - GMER 1.0.15 ----

SSDT 8A42F880 ZwAlertResumeThread
SSDT 8A42F940 ZwAlertThread
SSDT 8A495240 ZwAllocateVirtualMemory
SSDT 8A4CB7F0 ZwAssignProcessToJobObject
SSDT 8A568128 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA8ECCED0]
SSDT 8A457E38 ZwCreateMutant
SSDT 8A425870 ZwCreateSymbolicLinkObject
SSDT 8A3A7348 ZwCreateThread
SSDT 8A4CB8B0 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA8ECD150]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA8ECD810]
SSDT 8A45F280 ZwDuplicateObject
SSDT 8A49F280 ZwFreeVirtualMemory
SSDT 8A457F08 ZwImpersonateAnonymousToken
SSDT 8A42F800 ZwImpersonateThread
SSDT 8A51AA10 ZwLoadDriver
SSDT 8A4EE2C0 ZwMapViewOfSection
SSDT 8A3EBF48 ZwOpenEvent
SSDT 8A4BF308 ZwOpenProcess
SSDT 8A3D08D0 ZwOpenProcessToken
SSDT 8A3EBE08 ZwOpenSection
SSDT 8A4BF238 ZwOpenThread
SSDT 8A4CB720 ZwProtectVirtualMemory
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwRenameKey [0xA8ECDD80]
SSDT 8A364AA8 ZwResumeThread
SSDT 8A532218 ZwSetContextThread
SSDT 8A532250 ZwSetInformationProcess
SSDT 8A398EC0 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA8ECDAA0]
SSDT 8A3EBE88 ZwSuspendProcess
SSDT 8A364B68 ZwSuspendThread
SSDT 8A41F250 ZwTerminateProcess
SSDT 8A364C28 ZwTerminateThread
SSDT 8A532320 ZwUnmapViewOfSection
SSDT 8A48A238 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\AirLink101\Common\RaRegistry.exe[136] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00390048
.text C:\Program Files\AirLink101\Common\RaRegistry.exe[136] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0037004C
.text C:\Program Files\AirLink101\Common\RaRegistry.exe[136] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 0039020E
.text C:\Program Files\AirLink101\Common\RaRegistry.exe[136] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 0039012A
.text C:\Program Files\AirLink101\Common\RaRegistry.exe[136] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 00390682
.text C:\Program Files\AirLink101\Common\RaRegistry.exe[136] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 0039059E
.text C:\Program Files\AirLink101\Common\RaRegistry.exe[136] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003903D6
.text C:\Program Files\AirLink101\Common\RaRegistry.exe[136] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003902F2
.text C:\Program Files\AirLink101\Common\RaRegistry.exe[136] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [55, 88, EB, F9] {PUSH EBP; MOV BL, CH; STC }
.text C:\Program Files\AirLink101\Common\RaRegistry.exe[136] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003904BA
.text C:\Program Files\AirLink101\Common\RaRegistry.exe[136] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 00390766
.text C:\Program Files\AirLink101\Common\RaRegistry.exe[136] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 0039084A
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe[392] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003C0048
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe[392] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003A004C
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe[392] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 003C020E
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe[392] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 003C012A
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe[392] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 003C0682
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe[392] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 003C059E
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe[392] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003C03D6
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe[392] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003C02F2
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe[392] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [58, 88, EB, F9] {POP EAX; MOV BL, CH; STC }
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe[392] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003C04BA
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe[392] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 003C0766
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe[392] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 003C084A
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe[496] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003C0048
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe[496] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003A004C
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe[496] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 003C020E
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe[496] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 003C012A
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe[496] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 003C0682
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe[496] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 003C059E
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe[496] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003C03D6
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe[496] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003C02F2
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe[496] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [58, 88, EB, F9] {POP EAX; MOV BL, CH; STC }
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe[496] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003C04BA
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe[496] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 003C0766
.text C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe[496] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 003C084A
.text C:\Program Files\Internet Explorer\iexplore.exe[852] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 0B310048
.text C:\Program Files\Internet Explorer\iexplore.exe[852] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 0B31012A
.text C:\Program Files\Internet Explorer\iexplore.exe[852] kernel32.dll!VirtualProtectEx + 6E 7C801ACF 7 Bytes JMP 0B310594
.text C:\Program Files\Internet Explorer\iexplore.exe[852] kernel32.dll!ReadProcessMemory + 3E 7C80220E 7 Bytes JMP 0B3102EE
.text C:\Program Files\Internet Explorer\iexplore.exe[852] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 0B3104B2
.text C:\Program Files\Internet Explorer\iexplore.exe[852] kernel32.dll!CreateRemoteThread + 206 7C8106D2 7 Bytes JMP 0B31020C
.text C:\Program Files\Internet Explorer\iexplore.exe[852] kernel32.dll!GetVersionExA + D3 7C812C51 7 Bytes JMP 0B310676
.text C:\Program Files\Internet Explorer\iexplore.exe[852] kernel32.dll!GetProcessHandleCount + 35 7C86229F 7 Bytes JMP 0B3103D0
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E725F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E7191 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E71FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E7062 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E70C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E72C2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E7126 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[852] ole32.dll!CreateBindCtx + B5F 774FF15F 7 Bytes JMP 0B31083A
.text C:\Program Files\Internet Explorer\iexplore.exe[852] ole32.dll!CoImpersonateClient + 51 77515200 7 Bytes JMP 0B310758
.text C:\Program Files\Internet Explorer\iexplore.exe[852] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E75C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1660] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00390048
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1660] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0037004C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1660] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 0039020E
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1660] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 0039012A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1660] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 00390682
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1660] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 0039059E
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1660] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003903D6
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1660] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003902F2
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1660] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [55, 88, EB, F9] {PUSH EBP; MOV BL, CH; STC }
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1660] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003904BA
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1660] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 00390766
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1660] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 0039084A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1740] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00390048
.text C:\Program Files\Bonjour\mDNSResponder.exe[1740] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0037004C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1740] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 0039020E
.text C:\Program Files\Bonjour\mDNSResponder.exe[1740] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 0039012A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1740] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 00390682
.text C:\Program Files\Bonjour\mDNSResponder.exe[1740] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 0039059E
.text C:\Program Files\Bonjour\mDNSResponder.exe[1740] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003903D6
.text C:\Program Files\Bonjour\mDNSResponder.exe[1740] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003902F2
.text C:\Program Files\Bonjour\mDNSResponder.exe[1740] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [55, 88, EB, F9] {PUSH EBP; MOV BL, CH; STC }
.text C:\Program Files\Bonjour\mDNSResponder.exe[1740] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003904BA
.text C:\Program Files\Bonjour\mDNSResponder.exe[1740] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 00390766
.text C:\Program Files\Bonjour\mDNSResponder.exe[1740] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 0039084A
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[1808] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00390048
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[1808] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0037004C
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[1808] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 0039020E
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[1808] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 0039012A
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[1808] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 00390682
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[1808] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 0039059E
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[1808] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003903D6
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[1808] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003902F2
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[1808] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [55, 88, EB, F9] {PUSH EBP; MOV BL, CH; STC }
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[1808] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003904BA
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[1808] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 00390766
.text C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[1808] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 0039084A
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[1832] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00390048
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[1832] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0037004C
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[1832] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 0039020E
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[1832] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 0039012A
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[1832] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 00390682
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[1832] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 0039059E
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[1832] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003903D6
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[1832] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003902F2
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[1832] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [55, 88, EB, F9] {PUSH EBP; MOV BL, CH; STC }
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[1832] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003904BA
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[1832] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 00390766
.text C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe[1832] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 00390A0E
.text C:\Program Files\Intel\AMT\LMS.exe[1948] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00380048
.text C:\Program Files\Intel\AMT\LMS.exe[1948] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0036004C
.text C:\Program Files\Intel\AMT\LMS.exe[1948] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 0038020E
.text C:\Program Files\Intel\AMT\LMS.exe[1948] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 0038012A
.text C:\Program Files\Intel\AMT\LMS.exe[1948] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 00380682
.text C:\Program Files\Intel\AMT\LMS.exe[1948] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 0038059E
.text C:\Program Files\Intel\AMT\LMS.exe[1948] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003803D6
.text C:\Program Files\Intel\AMT\LMS.exe[1948] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003802F2
.text C:\Program Files\Intel\AMT\LMS.exe[1948] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [54, 88, EB, F9] {PUSH ESP; MOV BL, CH; STC }
.text C:\Program Files\Intel\AMT\LMS.exe[1948] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003804BA
.text C:\Program Files\Intel\AMT\LMS.exe[1948] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 00380766
.text C:\Program Files\Intel\AMT\LMS.exe[1948] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 0038084A
.text C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe[2276] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003A0048
.text C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe[2276] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0038004C
.text C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe[2276] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 003A020E
.text C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe[2276] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 003A012A
.text C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe[2276] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 003A0682
.text C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe[2276] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 003A059E
.text C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe[2276] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003A03D6
.text C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe[2276] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003A02F2
.text C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe[2276] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [56, 88, EB, F9] {PUSH ESI; MOV BL, CH; STC }
.text C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe[2276] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003A04BA
.text C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe[2276] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 003A0766
.text C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe[2276] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 003A0A0E
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[2864] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00390048
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[2864] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0037004C
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[2864] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 0039020E
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[2864] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 0039012A
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[2864] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 00390682
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[2864] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 0039059E
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[2864] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003903D6
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[2864] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003902F2
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[2864] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [55, 88, EB, F9] {PUSH EBP; MOV BL, CH; STC }
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[2864] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003904BA
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[2864] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 00390766
.text C:\Program Files\Google\Gmail Notifier\gnotify.exe[2864] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 00390A0E
.text C:\Program Files\iTunes\iTunesHelper.exe[2956] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00390048
.text C:\Program Files\iTunes\iTunesHelper.exe[2956] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0037004C
.text C:\Program Files\iTunes\iTunesHelper.exe[2956] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 0039020E
.text C:\Program Files\iTunes\iTunesHelper.exe[2956] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 0039012A
.text C:\Program Files\iTunes\iTunesHelper.exe[2956] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 00390682
.text C:\Program Files\iTunes\iTunesHelper.exe[2956] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 0039059E
.text C:\Program Files\iTunes\iTunesHelper.exe[2956] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003903D6
.text C:\Program Files\iTunes\iTunesHelper.exe[2956] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003902F2
.text C:\Program Files\iTunes\iTunesHelper.exe[2956] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [55, 88, EB, F9] {PUSH EBP; MOV BL, CH; STC }
.text C:\Program Files\iTunes\iTunesHelper.exe[2956] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003904BA
.text C:\Program Files\iTunes\iTunesHelper.exe[2956] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 00390766
.text C:\Program Files\iTunes\iTunesHelper.exe[2956] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 0039084A
.text C:\Documents and Settings\Owner\Desktop\m0e57n9y GMER.exe[3644] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00390048
.text C:\Documents and Settings\Owner\Desktop\m0e57n9y GMER.exe[3644] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0037004C
.text C:\Documents and Settings\Owner\Desktop\m0e57n9y GMER.exe[3644] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 0039020E
.text C:\Documents and Settings\Owner\Desktop\m0e57n9y GMER.exe[3644] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 0039012A
.text C:\Documents and Settings\Owner\Desktop\m0e57n9y GMER.exe[3644] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 00390682
.text C:\Documents and Settings\Owner\Desktop\m0e57n9y GMER.exe[3644] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 0039059E
.text C:\Documents and Settings\Owner\Desktop\m0e57n9y GMER.exe[3644] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003903D6
.text C:\Documents and Settings\Owner\Desktop\m0e57n9y GMER.exe[3644] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003902F2
.text C:\Documents and Settings\Owner\Desktop\m0e57n9y GMER.exe[3644] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [55, 88, EB, F9] {PUSH EBP; MOV BL, CH; STC }
.text C:\Documents and Settings\Owner\Desktop\m0e57n9y GMER.exe[3644] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003904BA
.text C:\Documents and Settings\Owner\Desktop\m0e57n9y GMER.exe[3644] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 00390766
.text C:\Documents and Settings\Owner\Desktop\m0e57n9y GMER.exe[3644] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 0039084A
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00390048
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0037004C
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 0039020E
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 0039012A
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 00390682
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 0039059E
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003903D6
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003902F2
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [55, 88, EB, F9] {PUSH EBP; MOV BL, CH; STC }
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003904BA
.text C:\Program Files\iPod\bin\iPodService.exe[3748] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 00390766
.text C:\Program Files\iPod\bin\iPodService.exe[3748] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 0039084A
.text C:\Program Files\AirLink101\Common\RaUI.exe[3808] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00390048
.text C:\Program Files\AirLink101\Common\RaUI.exe[3808] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0037004C
.text C:\Program Files\AirLink101\Common\RaUI.exe[3808] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 0039020E
.text C:\Program Files\AirLink101\Common\RaUI.exe[3808] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 0039012A
.text C:\Program Files\AirLink101\Common\RaUI.exe[3808] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 00390682
.text C:\Program Files\AirLink101\Common\RaUI.exe[3808] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 0039059E
.text C:\Program Files\AirLink101\Common\RaUI.exe[3808] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003903D6
.text C:\Program Files\AirLink101\Common\RaUI.exe[3808] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003902F2
.text C:\Program Files\AirLink101\Common\RaUI.exe[3808] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [55, 88, EB, F9] {PUSH EBP; MOV BL, CH; STC }
.text C:\Program Files\AirLink101\Common\RaUI.exe[3808] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003904BA
.text C:\Program Files\AirLink101\Common\RaUI.exe[3808] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 00390766
.text C:\Program Files\AirLink101\Common\RaUI.exe[3808] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 0039084A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[852] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\HDDBackup\Documents and Settings\Owner\Desktop\DEAD BACKUP GATEWAY\backup dead gateway4\Drive©\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\V724H4NP\cdn.digitalcity.com\pf_top5\top5_best_dollar_store_buys_new.swf\Top5Banner.sol 53 bytes
File C:\HDDBackup\Documents and Settings\Owner\Desktop\DEAD BACKUP GATEWAY\backup dead gateway4\Drive©\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\V724H4NP\hires.basspro.com\is-viewers\flash\genericzoomviewer.swf\#BassPro\1506463%5Fi%2D627096sau_init.sol 237 bytes
File C:\HDDBackup\Documents and Settings\Owner\Desktop\DEAD BACKUP GATEWAY\backup dead gateway4\Drive©\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\V724H4NP\hires.basspro.com\is-viewers\flash\genericzoomviewer.swf\#BassPro\1516518%5Fi%2D623534terr_init.sol 238 bytes
File C:\HDDBackup\Documents and Settings\Owner\Desktop\DEAD BACKUP GATEWAY\backup dead gateway4\Drive©\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\V724H4NP\kohls.com.edgesuite.net\is-viewers\flash\genericzoom.swf\#kohls\317746_init.sol 370 bytes
File C:\HDDBackup\Documents and Settings\Owner\Desktop\DEAD BACKUP GATEWAY\backup dead gateway4\Drive©\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\V724H4NP\media.vmixcore.com\player\26856ede42937b18cce370c7892b1057\player.swf\VMIX.sol 43 bytes
File C:\HDDBackup\Documents and Settings\Owner\Desktop\DEAD BACKUP GATEWAY\backup dead gateway4\Drive©\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\V724H4NP\media.vmixcore.com\player\f27120ca4740383074d97ffd0c90aa72\player.swf\VMIX.sol 43 bytes
File C:\HDDBackup\Documents and Settings\Owner\Desktop\DEAD BACKUP GATEWAY\backup dead gateway4\Drive©\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\V724H4NP\redir.adap.tv\redir\client\AdPlayer8\AdPlayer8-22.9_014313.swf\adap.tv.sol 53 bytes
File C:\HDDBackup\Documents and Settings\Owner\Desktop\DEAD BACKUP GATEWAY\backup dead gateway4\Drive©\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\V724H4NP\s7d2.scene7.com\is-viewers\flash\genericzoomviewer.swf\#TheCompanyStore\csf08%5Fdo23_init.sol 234 bytes
File C:\HDDBackup\Documents and Settings\Owner\Desktop\DEAD BACKUP GATEWAY\backup dead gateway4\Drive©\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\V724H4NP\us.js2.yimg.com\us.yimg.com\lib\map\swf\loader.mxml_200709061348.swf\YMaps.sol 51 bytes
File C:\HDDBackup\Documents and Settings\Owner\Desktop\DEAD BACKUP GATEWAY\backup dead gateway4\Drive©\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\V724H4NP\video.clipsyndicate.com\cs-video\flash\production\1\flvplayer.swf\spotx_session.sol 47 bytes
File C:\HDDBackup\Documents and Settings\Owner\Desktop\DEAD BACKUP GATEWAY\backup dead gateway4\Drive©\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\V724H4NP\video.clipsyndicate.com\cs-video\flash\production\2\flvplayer.swf\spotx_session.sol 48 bytes

---- EOF - GMER 1.0.15 ----

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:11 PM

Posted 21 October 2012 - 04:07 PM

To check for and confirm the MBR (Master Boot Record) rootkit.


  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.

Edited by boopme, 21 October 2012 - 04:07 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Nancy9108

Nancy9108
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:03:11 PM

Posted 23 October 2012 - 05:19 PM

HERE IS WHAT I GOT WHEN I TRIED TO FOLLOW YOUR INSTRUCTIONS. I AM TERRIBLY SORRY BUT NOTHING SEEMED TO WORK. AS YOU CAN SEE I TRIED TO TYPE WHAT YOU HAD INSTRUCTED ME TO TYPE BUT NOTHING WORKED. I TRIED TO DOUBLE CLICK ON THE MBR.LOG AND THAT DID NOT WORK.

THANK YOU SO VERY MUCH FOR YOUR HELP, BUT I HAVE NOT IDEA WHAT I AM DOING. I PROBABLY AM NOT TYPING THINGS CORRECTLY. PLEASE ADVISE AS TO THE NEXT STEP. WAS I SUPPOSED TO GET THE DOCUMENTS AND SETTINGS BEFORE THE C:MBR.EXE AND MBR LOG?

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Owner>c:

C:\Documents and Settings\Owner>c:\mbr.exe>>"C:\mbr.log"
'c:\mbr.exe' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Owner>c:mbr.exe>>C:\mbr.log
'c:mbr.exe' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Owner>
C:\Documents and Settings\Owner>
C:\Documents and Settings\Owner>c:\mbr.exe>>C:\mbr.log
'c:\mbr.exe' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Owner>C:\mbr.log

C:\Documents and Settings\Owner>

#6 Nancy9108

Nancy9108
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:03:11 PM

Posted 23 October 2012 - 05:53 PM

Ok, I realized that in previous posts you can get mbr.exe from gmer. I went back and downloaded this to my desktop. Then hit run. Saw the flash of a black screen. Went to c:\ and nothing listed as mbr.log. The only thing I found was mbr but 0 mb. Clicked on that and there was nothing to copy. So will wait for further instructions. Was shooting in the dark.

Thank you again for your patience with me. TRUE NOVICE. But I am trying.

Nancy

#7 Nancy9108

Nancy9108
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:03:11 PM

Posted 23 October 2012 - 05:58 PM

HI AGAIN. I JUST REALIZED THERE WAS AN ENTRY ON A NOTEPAD ON MY DESKTOP. HERE IS THE INFORMATION IT HAD ON IT. I DO HOPE THIS HELPS. DOES THIS MEAN I DO HAVE A HACKTOOL.ROOTKIT TROJAN?

THANK YOU SO MUCH FOR YOUR HELP. NANCY


Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:11 PM

Posted 23 October 2012 - 09:06 PM

Ok, we need some one on one help here so we can safely remove this and not lose the PC.
We need you to start a new topic as we need a deeper look and other tools.

Please follow this Preparation Guide . Do steps 6- 9 and post in a new topic named difficult Rootkit.
Skip the GMer steps. Instead include this link
http://www.bleepingcomputer.com/forums/topic472387.html/page__pid__2876626#entry2876626
back here to your GMER logs.

Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Nancy9108

Nancy9108
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:03:11 PM

Posted 23 October 2012 - 10:00 PM

I have turned off my computer. Since I have my 27 year old son on life support I have my hands full until this Friday. I will have to pick this back up then. NOW I REALLY KNOW I AM IN TROUBLE WITH THIS COMPUTER. IS KEEPING IT TURNED OFF THE SAFEST THING TO DO? DO I HAVE ANY CHANCE OF GETTING THIS SOLVED? IS IT POSSIBLE TO SEND MY COMPUTER TO SOMEONE WHO CAN SOLVE THIS SINCE I AM A TOTAL NOVICE AND NOT GOOD AT THIS TYPE OF PROBLEM? WOULD IT BE BETTER TO GET ANOTHER COMPUTER AND TRY TO TRANSFER THE MEDICAL INFORMATION? I really appreciate your help. I am getting email on my iPhone. Are we permitted to give our phone number so we can speak. Over the phone about this problem? THANK YOU SO VERY MUCH. NANCY

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:11 PM

Posted 23 October 2012 - 10:14 PM

I am very sorry to hear that Nancy.

Yes that is wise..
If you can get some time an hour.. to at least create the topic and DDS log in guide and post it. Tell them you can be back Friday. They will wait.re
It would be better for you and them as they need a couple days to get to your log(very busy). It may make things easier and resukts quicker for you.

It was my pleasure and wish I could have just solved it here,but it will get done.

Edited by boopme, 23 October 2012 - 10:17 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Nancy9108

Nancy9108
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:03:11 PM

Posted 23 October 2012 - 10:34 PM

I forgot to ask. I enrolled 2 months ago in just cloud back up system but according to just cloud if a virus was backed up it will still be there when I would have to download the files.

At this point can I rely on the back ups that were done thru just cloud or do I need to do a backup in a different way? If I do a back up wont the rootkit also back up and still cause a problem? I keep running malware bytes and jarpesky and the scan keeps coming back with no threats. Very confusing that I still have this rootkit problem. Where would this have come fr? I have used computers for about 10 years and have never had this happen. I have had this counter for 6.5 years. I had a wireless network and and have been using an airport with a linksys wireless card inside the computer. After my computer came back from another company who ran virus scans I was told to run a wire from the computer to the wireless router (airport). However they also told me the hacktool. Rootkit was gone. I also reinstalled norton as the virus and spyware. I need to know what programs I should use in the future so this does not happen again. For about a year I have not been able to install XP service pack 2 however it appears that service pack 3 did install. AGAIN THANK YOU SO VERY MUCH FOR YOUR HELP. OBVIOUSLY I AM A NOVICE TO ALL OF THIS AND NEED ALOT OF HELP. THANK YOU. NANCY

#12 Nancy9108

Nancy9108
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:03:11 PM

Posted 24 October 2012 - 08:12 PM

Hi. What is a DDS LOGIN guide? My husband had a deer run into his car so I had to deal with this today I can get an hour tomorrow morning but realized I don't know what I am supposed to do.

To confirm I add the link to the GMER LOG? Could you please explain how I do this? I almost went to a MAC computer but found out they get malware also. So how do I open a new subject and add the new title and log? Thank you.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:11 PM

Posted 24 October 2012 - 08:29 PM

No problem with your newness,we don't mind.
Sorry this was not clear.

create the topic and DDS log in guide and post it


Should be..
create the topic and DDS log, in the prep guide and post it

After you run DDS tool
Go here Virus, Trojan, Spyware, and Malware Removal Logs (2nd forum dowb from this one) see step 9 im Guide for more info.
Create a new topicas you did here.

Copy/ Paste the logs. If you did not do GMER yet skip it for now and only post the DDS to save time.



Yes backed up malware will rerun when opened again.


2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... These are generally safe. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Nancy9108

Nancy9108
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:03:11 PM

Posted 24 October 2012 - 09:43 PM

Ok will give this a try on Friday. Thank you for your patience.
Nancy

#15 Nancy9108

Nancy9108
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:03:11 PM

Posted 30 October 2012 - 10:06 PM

After hurricane Internet connection is out. I ran another GMER scan while off line and will post that to a new forum subject when Internet comes back online After doing the scan it appears computer programs are not working so shut down computer. Is there anyone who I could sent my computer to so that this could be fixed by someone who knows the rootkit problems and get the counter fixed. The way things are right now I may have a problem getting the important files off my computer. I really need help. I am using my iPhone to communicate at this point




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users