Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG scan found 9 root kits not all removed


  • Please log in to reply
12 replies to this topic

#1 Chris Bar

Chris Bar

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 15 March 2013 - 09:14 AM

Scanned with AVG 2013 which found 13 potentially threats and stated not all were removed, then subsequently reported 9 potentially dangerous rootkits - and then stated not all were removed.  Details revealed 4 cases of broken digital signatures (addressed elsewhere) and 9 rootkits [identified such as IRP hook, \Driver\Disk IRP_MJ_CLOSE ->CLASSPNP.SYS Cl].  AVG says not all were removed when they addressed both the total number of 13 problems and when they addressed the 9 rootkits, but I cannot find any more rootkits. 

 

Subsequent numerous scans do not show the rootkits, but still show 3 of the broken digital signatures (I deleted one file to remedy one).  Can I safely assume the rootkits are gone and that I only need to deal with the broken digital signatures?


Edited by Chris Bar, 15 March 2013 - 09:18 AM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:17 PM

Posted 15 March 2013 - 01:28 PM

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


    tds2.jpg

  • Check Loaded Modules  and Detect TDLFS file systemDo not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


    2012081514h0118.png

  • Click Start Scan and allow the scan process to run

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue


    tds6.jpg

  • Click Reboot computer
  • Please post the contents of  TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply


===================================================


aswMBR

--------------------

  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.


    aswMBR1.png
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.


    aswMBR2.png
  • Please post the contents of the log in your next reply.

NOTE:  aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


===================================================


ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan  This process may may take several hours, that is normal

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png  button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

    esetsmartinstaller_enu.png

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:

    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply.   Note:  If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log
  • aswMBR log
  • ESET results

 



#3 Chris Bar

Chris Bar
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 17 March 2013 - 09:59 AM

OK, will take a while to repond...as of yesterday had a few major non-computer issues arise.  Thanks for your help...will get back asap.



#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:17 PM

Posted 17 March 2013 - 10:50 AM

:thumbup2:



#5 Chris Bar

Chris Bar
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 20 March 2013 - 12:04 PM

Have results from TDSS and AVAST which show no hits.  Not sure how to post the results..tried copy and paste but no joy.  Not sure can do the ESET since not controlled from here...not comfy.  How do I post the scan results from 1st two...but note the TDSS scan result is 279KB?



#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:17 PM

Posted 20 March 2013 - 12:14 PM

Last few lines of TDSSkiller log is enough.



#7 Chris Bar

Chris Bar
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 21 March 2013 - 09:13 AM

from TDSS last lines...

 

09:06:33.0953 3212  C:\Program Files\Microsoft Office\OFFICE11\MSOHEV.DLL - ok
09:06:33.0968 3212  ============================================================
09:06:33.0968 3212  Scan finished
09:06:33.0968 3212  ============================================================
09:06:33.0984 3196  Detected object count: 0
09:06:33.0984 3196  Actual detected object count: 0
09:09:07.0406 3108  Deinitialize success
 

 

and from AVAST

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-03-20 09:19:55
-----------------------------
09:19:55.171    OS Version: Windows 5.1.2600 Service Pack 2
09:19:55.171    Number of processors: 1 586 0x207
09:19:55.171    ComputerName: xxxxxxxxx  UserName: ALL
09:19:55.609    Initialize success
09:22:03.718    AVAST engine defs: 13032000
09:22:47.156    Disk 0  \Device\Harddisk0\DR0 -> \Device\Scsi\Pnp6801Port0Path0Target0Lun0
09:22:47.171    Disk 0 Vendor: WDC_WD12 65.1 Size: 114473MB BusType: 1
09:22:47.171    Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0
09:22:47.171    Disk 1 Vendor: WDC_WD12 75.1 Size: 114473MB BusType: 3
09:22:47.328    Disk 1 MBR read successfully
09:22:47.328    Disk 1 MBR scan
09:22:47.359    Disk 1 unknown MBR code
09:22:47.359    Disk 1 Partition 1 80 (A) 07    HPFS/NTFS NTFS       114463 MB offset 63
09:22:47.359    Disk 1 scanning sectors +234420480
09:22:47.390    Disk 1 scanning C:\WINDOWS\system32\drivers
09:22:59.828    Service scanning
09:23:13.671    Modules scanning
09:23:20.796    Disk 1 trace - called modules:
09:23:21.296    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll IdeChnDr.sys
09:23:21.312    1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x86b25a00]
09:23:21.312    3 CLASSPNP.SYS[f751405b] -> nt!IofCallDriver -> \Device\00000068[0x86b76f18]
09:23:21.312    5 ACPI.sys[f742c620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0[0x86b76030]
09:23:21.796    AVAST engine scan C:\WINDOWS
09:23:42.578    AVAST engine scan C:\WINDOWS\system32
09:26:03.656    AVAST engine scan C:\WINDOWS\system32\drivers
09:26:23.265    AVAST engine scan C:\Documents and Settings\ALL
10:42:58.171    AVAST engine scan C:\Documents and Settings\All Users
11:00:58.515    Scan finished successfully
12:31:18.140    Disk 1 MBR has been saved successfully to "C:\Documents and Settings\ALL\My Documents\COMPUTER\MBR.dat"
12:31:18.140    The log file has been saved successfully to "C:\Documents and Settings\ALL\My Documents\COMPUTER\aswMBR.txt"


 


Edited by Chris Bar, 21 March 2013 - 10:49 AM.


#8 Chris Bar

Chris Bar
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 24 March 2013 - 08:00 PM

OK?



#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:17 PM

Posted 24 March 2013 - 09:05 PM

ESET log?



#10 Chris Bar

Chris Bar
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 25 March 2013 - 01:47 PM

Thanks anyway....cannot turn over admin control.



#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:17 PM

Posted 25 March 2013 - 01:52 PM

I dont understand



#12 Chris Bar

Chris Bar
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 27 March 2013 - 04:48 AM

ESET rules state that I must permit ESET to have Admin control of my computer to do the online scan, and the onel free scan I wish to hold for a possible future need.  I think that the previous scans removed the rootkits since they have not again showed up.



#13 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:17 PM

Posted 27 March 2013 - 08:38 AM

You should  login to administrator account to run all these scans.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users