Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gmer log Do I have a rootkit ?


  • Please log in to reply
16 replies to this topic

#1 bughunt

bughunt

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 10 December 2013 - 02:54 AM

http://sagearchetype.blogspot.in/2013/12/my-rootkit.html

 

Above are screen shots from gmer.

Do  I have a rootkit ?

 

Have Ran the following

Spybot,Malwarebytes,Microsoft Essentials,Avast Antivirus

haven't found any bugs.Have run ccleaner.

 

After running CHKDSK and again running gmer,the

alerts in the two screen shots than disappeared ??

My PC is awfully slow.Though I have only 1 GB RAM.

But the PC has become slower than before. 

 

Also ran other Anti Rootkit, Tdskiller and Rootkit Revealer,

and some others.

 

screen shots in above link.

 

 



BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:43 AM

Posted 10 December 2013 - 07:00 AM

Can you post the logs for the tools you have ran?

#3 bughunt

bughunt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 11 December 2013 - 09:44 PM

Sorry for the late response.My PC is very slow,I have uninstalled

most of the anti malware programs and comodo firewall.

 

These are screen shots from Rootrepeal.

 http://sagearchetype.blogspot.in/2013/12/root-repeal-log.html

 

There seems to be clones of some .sys files.

My PC takes time to boot up and is slow.

 

Rootkit Revealer Log :

 

HKLM\SECURITY\Policy\Secrets\SAC* 18/01/2013 19:59 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 18/01/2013 19:59 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 11/12/2013 08:57 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\OfflineDetectionPending 11/12/2013 08:53 4 bytes Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 11/12/2013 08:52 64.00 KB Visible in Windows API, but not in MFT or directory index.
 
Avast anti rootkit Log :
aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-12-11 14:58:54
-----------------------------
14:58:54.234    OS Version: Windows 5.1.2600 Service Pack 3
14:58:54.250    Number of processors: 2 586 0x1C02
14:58:54.250    ComputerName: HIVE  UserName: 
14:58:56.984    Initialize success
14:59:10.500    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
14:59:10.500    Disk 0 Vendor: ST980811AS 3.ALC Size: 76319MB BusType: 3
14:59:10.734    Disk 0 MBR read successfully
14:59:10.734    Disk 0 MBR scan
14:59:10.734    Disk 0 Windows XP default MBR code
14:59:10.734    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        76312 MB offset 63
14:59:10.765    Disk 0 scanning sectors +156288384
14:59:11.093    Disk 0 scanning C:\WINDOWS\system32\drivers
14:59:49.937    Service scanning
15:00:45.718    Modules scanning
15:01:17.984    Disk 0 trace - called modules:
15:01:18.000    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys 
15:01:18.015    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d72ab8]
15:01:18.015    3 CLASSPNP.SYS[f7548fd7] -> nt!IofCallDriver -> \Device\00000068[0x86d843b8]
15:01:18.015    5 ACPI.sys[f73df620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86d83940]
15:01:18.015    Scan finished successfully
15:04:43.796    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\admin\Desktop\MBR.dat"
15:04:43.796    The log file has been saved successfully to "C:\Documents and Settings\admin\Desktop\aswMBR.txt"
 
 
GMER Log : (the previous detection's  show in in the screen shots above  have gone )
GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-12-11 14:20:45
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST980811AS rev.3.ALC 74.53GB
Running: lqh94vc1.exe; Driver: C:\DOCUME~1\admin\LOCALS~1\Temp\pxtdipow.sys
 
 
---- Kernel code sections - GMER 2.1 ----
 
?  C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS  The system cannot find the file specified. !
 
---- EOF - GMER 2.1 ----
 
 

Running Windows Malicious software  removal Tool and Kaspersky antivirus.

I am using an asus notebook.


Edited by bughunt, 11 December 2013 - 09:49 PM.


#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:43 AM

Posted 12 December 2013 - 06:22 AM

Please download MiniToolBox, and save it to your desktop and run it, and checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

#5 bughunt

bughunt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 12 December 2013 - 11:08 AM

MiniToolBox by Farbar  Version: 13-07-2013
Ran by oracle1000 (administrator) on 12-12-2013 at 21:34:22
Running from "C:\Documents and Settings\admin\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
 
Windows IP Configuration
 
 
 
Successfully flushed the DNS Resolver Cache.
 
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
ProxyServer: :0
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
========================= FF Proxy Settings: ============================== 
 
 
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
 
========================= Hosts content: =================================
 
 
127.0.0.1       localhost
127.0.0.1       localhost
127.0.0.1       localhost
 
========================= IP Configuration: ================================
 
802.11n Wireless LAN Card = Wireless Network Connection (Connected)
Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller = Local Area Connection 2 (Media disconnected)
 
 
# ---------------------------------- 
# Interface IP Configuration         
# ---------------------------------- 
pushd interface ip
 
 
# Interface IP Configuration for "Local Area Connection 2"
 
set address name="Local Area Connection 2" source=dhcp 
set dns name="Local Area Connection 2" source=dhcp register=PRIMARY
set wins name="Local Area Connection 2" source=dhcp
 
# Interface IP Configuration for "Wireless Network Connection"
 
set address name="Wireless Network Connection" source=dhcp 
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp
 
 
popd
# End of interface IP configuration
 
 
 
 
Windows IP Configuration
 
 
 
        Host Name . . . . . . . . . . . . : hive
 
        Primary Dns Suffix  . . . . . . . : 
 
        Node Type . . . . . . . . . . . . : Unknown
 
        IP Routing Enabled. . . . . . . . : No
 
        WINS Proxy Enabled. . . . . . . . : No
 
 
 
Ethernet adapter Local Area Connection 2:
 
 
 
        Media State . . . . . . . . . . . : Media disconnected
 
        Description . . . . . . . . . . . : Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller
 
        Physical Address. . . . . . . . . : 00-22-15-70-16-03
 
 
 
Ethernet adapter Wireless Network Connection:
 
 
 
        Connection-specific DNS Suffix  . : 
 
        Description . . . . . . . . . . . : 802.11n Wireless LAN Card
 
        Physical Address. . . . . . . . . : 00-15-AF-CB-5D-C2
 
        Dhcp Enabled. . . . . . . . . . . : Yes
 
        Autoconfiguration Enabled . . . . : Yes
 
        IP Address. . . . . . . . . . . . : 192.168.1.101
 
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
 
        Default Gateway . . . . . . . . . : 192.168.1.1
 
        DHCP Server . . . . . . . . . . . : 192.168.1.1
 
        DNS Servers . . . . . . . . . . . : 218.248.245.1
 
                                            218.248.255.141
 
        Lease Obtained. . . . . . . . . . : 12 December 2013 21:27:38
 
        Lease Expires . . . . . . . . . . : 13 December 2013 21:27:38
 
Server:  UnKnown
Address:  218.248.245.1
 
Name:    google.com
Addresses:  74.125.236.166, 74.125.236.167, 74.125.236.168, 74.125.236.169
 74.125.236.174, 74.125.236.160, 74.125.236.161, 74.125.236.162, 74.125.236.163
 74.125.236.164, 74.125.236.165
 
 
 
Pinging google.com [74.125.236.168] with 32 bytes of data:
 
 
 
Reply from 74.125.236.168: bytes=32 time=105ms TTL=56
 
Reply from 74.125.236.168: bytes=32 time=228ms TTL=56
 
 
 
Ping statistics for 74.125.236.168:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 105ms, Maximum = 228ms, Average = 166ms
 
Server:  UnKnown
Address:  218.248.245.1
 
Name:    yahoo.com
Addresses:  98.139.183.24, 206.190.36.45, 98.138.253.109
 
 
 
Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
 
 
 
Reply from 98.139.183.24: bytes=32 time=476ms TTL=50
 
Reply from 98.139.183.24: bytes=32 time=305ms TTL=50
 
 
 
Ping statistics for 98.139.183.24:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 305ms, Maximum = 476ms, Average = 390ms
 
 
 
Pinging 127.0.0.1 with 32 bytes of data:
 
 
 
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
 
 
Ping statistics for 127.0.0.1:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
 
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 22 15 70 16 03 ...... Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller - Packet Scheduler Miniport
0x3 ...00 15 af cb 5d c2 ...... 802.11n Wireless LAN Card - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.101  40
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1  1
      192.168.1.0    255.255.255.0    192.168.1.101   192.168.1.101  40
    192.168.1.101  255.255.255.255        127.0.0.1       127.0.0.1  40
    192.168.1.255  255.255.255.255    192.168.1.101   192.168.1.101  40
        224.0.0.0        240.0.0.0    192.168.1.101   192.168.1.101  40
  255.255.255.255  255.255.255.255    192.168.1.101   192.168.1.101  1
  255.255.255.255  255.255.255.255    192.168.1.101               2  1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\system32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 19 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (12/10/2013 07:34:46 PM) (Source: MPSampleSubmission) (User: )
Description: mptelemetrymicrosoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)4.4.304.0timeout1.1.10100.0fixed2 _ 10245 _ not bootNILNILNIL
 
Error: (12/10/2013 07:30:53 PM) (Source: MPSampleSubmission) (User: )
Description: mptelemetrymicrosoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)4.4.304.0timeout1.1.10100.0fixed2 _ 10245 _ not bootNILNILNIL
 
Error: (12/10/2013 05:37:33 PM) (Source: Application Hang) (User: )
Description: Hanging application explorer.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error: (12/10/2013 05:37:02 PM) (Source: Application Hang) (User: )
Description: Hanging application explorer.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error: (12/10/2013 02:32:43 PM) (Source: ESENT) (User: )
Description: Catalog Database (1304) Database C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb was partially detached.  Error -1032 encountered updating database headers.
 
Error: (12/10/2013 02:32:43 PM) (Source: ESENT) (User: )
Description: Catalog Database (1304) Unable to write a shadowed header for file C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb. Error -1032.
 
Error: (12/10/2013 02:32:43 PM) (Source: ESENT) (User: )
Description: svchost (1304) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb" for read / write access failed with system error 5 (0x00000005): "Access is denied. ".  The open file operation will fail with error -1032 (0xfffffbf8).
 
Error: (12/09/2013 09:16:52 AM) (Source: Application Error) (User: )
Description: Faulting application TJREUE.exe, version 1.71.0.0, faulting module TJREUE.exe, version 1.71.0.0, fault address 0x0004c490.
Processing media-specific event for [TJREUE.exe!ws!]
 
Error: (12/08/2013 01:15:38 PM) (Source: Userenv) (User: HIVE)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
 
Error: (12/08/2013 01:15:07 PM) (Source: Userenv) (User: HIVE)
Description: Windows has backed up this user's profile. Windows will automatically try to use the backed up profile the next time this user logs on.
 
 
System errors:
=============
Error: (12/12/2013 09:27:36 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.101 for the Network Card with network address 0015AFCB5DC2 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
 
Error: (12/12/2013 01:05:34 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.101 for the Network Card with network address 0015AFCB5DC2 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
 
Error: (12/12/2013 07:58:19 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.
 
Error: (12/12/2013 07:58:19 AM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)
 
Error: (12/12/2013 07:57:06 AM) (Source: Service Control Manager) (User: )
Description: The StarOpen service failed to start due to the following error: 
%%2
 
Error: (12/11/2013 02:29:07 PM) (Source: Service Control Manager) (User: )
Description: The StarOpen service failed to start due to the following error: 
%%2
 
Error: (12/11/2013 02:28:44 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.101 for the Network Card with network address 0015AFCB5DC2 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
 
Error: (12/11/2013 11:04:28 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0
 
Error: (12/11/2013 11:04:27 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0
 
Error: (12/11/2013 11:03:57 AM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0
 
 
Microsoft Office Sessions:
=========================
Error: (12/10/2013 07:34:46 PM) (Source: MPSampleSubmission)(User: )
Description: mptelemetrymicrosoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)4.4.304.0timeout1.1.10100.0fixed2 _ 10245 _ not bootNILNILNIL
 
Error: (12/10/2013 07:30:53 PM) (Source: MPSampleSubmission)(User: )
Description: mptelemetrymicrosoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)4.4.304.0timeout1.1.10100.0fixed2 _ 10245 _ not bootNILNILNIL
 
Error: (12/10/2013 05:37:33 PM) (Source: Application Hang)(User: )
Description: explorer.exe6.0.2900.5512hungapp0.0.0.000000000
 
Error: (12/10/2013 05:37:02 PM) (Source: Application Hang)(User: )
Description: explorer.exe6.0.2900.5512hungapp0.0.0.000000000
 
Error: (12/10/2013 02:32:43 PM) (Source: ESENT)(User: )
Description: Catalog Database1304C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb-1032
 
Error: (12/10/2013 02:32:43 PM) (Source: ESENT)(User: )
Description: Catalog Database1304C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb-1032
 
Error: (12/10/2013 02:32:43 PM) (Source: ESENT)(User: )
Description: svchost1304C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb-1032 (0xfffffbf8)5 (0x00000005)Access is denied.
 
Error: (12/09/2013 09:16:52 AM) (Source: Application Error)(User: )
Description: TJREUE.exe1.71.0.0TJREUE.exe1.71.0.00004c490
 
Error: (12/08/2013 01:15:38 PM) (Source: Userenv)(User: HIVE)
Description: 
 
Error: (12/08/2013 01:15:07 PM) (Source: Userenv)(User: HIVE)
Description: 
 
 
=========================== Installed Programs ============================
 
Adobe Flash Player 11 ActiveX (Version: 11.9.900.170)
Adobe Flash Player 11 Plugin (Version: 11.9.900.170)
Adobe Reader XI (11.0.05) (Version: 11.0.05)
Azurewave Wireless LAN (Version: 1.00.0000)
CCleaner (Version: 4.07)
Cisco Packet Tracer 5.3.3
erLT (Version: 1.20.138.34)
ETDWare PS/2-x86 7.0.4.3 WHQL
Google Chrome (Version: 28.0.1500.72)
Google Talk Plugin (Version: 4.2.1.14031)
Google Talk Plugin (Version: 4.9.1.16010)
Google Update Helper (Version: 1.3.22.3)
High Definition Audio Driver Package - KB888111 (Version: 20040219.000000)
Intel® Graphics Media Accelerator Driver
Java 7 Update 25 (Version: 7.0.250)
Java Auto Updater (Version: 2.1.9.5)
Memoryze (Version: 3.0.0)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office Word Viewer 2003 (Version: 11.0.8173.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mozilla Firefox 25.0.1 (x86 en-US) (Version: 25.0.1)
Mozilla Maintenance Service (Version: 25.0.1)
MSVC90_x86 (Version: 1.0.1.2)
Notepad++ (Version: 6.3)
QuickTime
Realtek High Definition Audio Driver (Version: 5.10.0.5612)
Speccy (Version: 1.24)
Ubuntu (Version: 12.04.3-rev279)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB2863058) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
VLC media player 2.0.5 (Version: 2.0.5)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows XP Service Pack 3 (Version: 20080414.031525)
WinPcap 4.1.1 (Version: 4.1.0.1753)
XML Paper Specification Shared Components Pack 1.0
Yahoo! Toolbar
 
========================= Memory info: ===================================
 
Percentage of memory in use: 36%
Total physical RAM: 1015.17 MB
Available physical RAM: 643.97 MB
Total Pagefile: 2436.54 MB
Available Pagefile: 2238.9 MB
Total Virtual: 2047.88 MB
Available Virtual: 1974.97 MB
 
========================= Partitions: =====================================
 
1 Drive c: () (Fixed) (Total:74.52 GB) (Free:36.99 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\HIVE
 
cpo3                     Guest                    HelpAssistant            
jedi1155                 light                    oracle1000               
SUPPORT_388945a0         
 
 
**** End of log ****


#6 bughunt

bughunt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 12 December 2013 - 11:13 AM

Also start/all programs/startup 

 

I saw  a strange entry _uninst.exe something like this.

I went to the location when I moved my mouse over it

that is C:\Documents and Settings\admin\Local Settings\Temp,

the program was there,but later when I right clicked the program in

startup it vanished ?

Also I see a remote desktop icon link  in my documents when I 

enable to show hidden files.

 

Ran Windows Malicious software removal tool , found nothing.

 

Renamed accounts but in the documents and settings they still

retain the old names is this normal.


Edited by bughunt, 12 December 2013 - 11:18 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 AM

Posted 12 December 2013 - 02:16 PM

Rootkit Revealer scans the HKLM\Security\Policy hive which contains SAC* and SAI* hidden keys with embedded (trailing) nulls. This is normal and not a cause for alarm. The presence of some keys with nulls may be pertinent to the correct operation of related applications. The Windows API treats key names as null-terminated strings whereas the kernel treats them as counted strings. See RKR 1.71 and HKLM\Security\Policy\Secrets.

Data Mismatches is a discrepancy which will occur if a Registry value is updated while the Registry scan is in progress. Values that change frequently include timestamps such as the Microsoft SQL Server uptime value, shown below, and virus scanner "last scan" values. You should investigate any reported value to ensure that its a valid application or system Registry value.

For more information, please refer to Info on common RKR log entries such as:

SoftwareDistribution\DataStore
WinGenerics
ODBCINST Entries
Data Mismatches
InprocServer32/embedded nulls
Zero Bytes
Daemon Tools and Alcohol software entries
Cryptography\RNG\Seed\
System Volume Information\_restore
Prefetch


FYI: Not all hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators, virtual machines, sandboxes and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

Generally when a system is infected with a malicious rootkit, there are other indications (symptoms of infection) something is wrong such as slow performance, high CPU usage, browser redirects, BSODs, etc.

In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal.


Some ARK tools like GMER are intended for advanced users or to be used under the guidance of an expert who can interpret the log results and investigate it for malicious entries before taking any removal action. Even with advanced training, trying to interpret GMER results can be confusing at best as there could be many legitimate entries in its log. If you're unsure how to use a particular Anti-rootkit (ARK) tool or interpret the log it generates, then you probably should not be using it as most folks panic or become alarmed at the scan results without knowing what they mean.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 bughunt

bughunt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 12 December 2013 - 09:45 PM

Yes slow performance , is whats happening on my PC.

I have un-installed most programs on my system such

as antimalware and my comodo firewall.Any windows

sounds play in a long drawn out manner.

How do I proceed ?

If I type anything in google chrome URL google or yahoo,

I get a search result from ask.com ?



#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:43 AM

Posted 13 December 2013 - 06:31 AM

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Clean.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#10 bughunt

bughunt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 16 December 2013 - 09:16 AM

# AdwCleaner v3.015 - Report created 16/12/2013 at 19:29:13
# Updated 10/12/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : oracle1000 - HIVE
# Running from : C:\Documents and Settings\admin\My Documents\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\searchplugins\Askcom.xml
File Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\searchplugins\Askcom.xml
File Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\searchplugins\Askcom.xml
File Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\searchplugins\Askcom.xml
File Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\searchplugins\Askcom.xml
File Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\searchplugins\Askcom.xml
File Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\searchplugins\Askcom.xml
File Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\user.js
File Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\user.js
File Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\user.js
File Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\user.js
File Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\user.js
File Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\user.js
File Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\user.js
Folder Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
Folder Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
Folder Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
Folder Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
Folder Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
Folder Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
Folder Found : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\prefs.js ]

Line Found : user_pref("browser.search.defaultengine", "Ask.com");
Line Found : user_pref("browser.search.defaultenginename", "Ask.com");
Line Found : user_pref("browser.search.order.1", "Ask.com");
Line Found : user_pref("browser.search.selectedEngine", "Ask.com");

[ File : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\prefs.js ]

Line Found : user_pref("browser.search.defaultengine", "Ask.com");
Line Found : user_pref("browser.search.defaultenginename", "Ask.com");
Line Found : user_pref("browser.search.order.1", "Ask.com");
Line Found : user_pref("browser.search.selectedEngine", "Ask.com");

[ File : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\prefs.js ]

Line Found : user_pref("browser.search.defaultengine", "Ask.com");
Line Found : user_pref("browser.search.defaultenginename", "Ask.com");
Line Found : user_pref("browser.search.order.1", "Ask.com");
Line Found : user_pref("browser.search.selectedEngine", "Ask.com");

[ File : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\prefs.js ]

Line Found : user_pref("browser.search.defaultengine", "Ask.com");
Line Found : user_pref("browser.search.defaultenginename", "Ask.com");
Line Found : user_pref("browser.search.order.1", "Ask.com");
Line Found : user_pref("browser.search.selectedEngine", "Ask.com");

[ File : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\prefs.js ]

Line Found : user_pref("browser.search.defaultengine", "Ask.com");
Line Found : user_pref("browser.search.defaultenginename", "Ask.com");
Line Found : user_pref("browser.search.order.1", "Ask.com");
Line Found : user_pref("browser.search.selectedEngine", "Ask.com");

[ File : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\prefs.js ]

Line Found : user_pref("browser.search.defaultengine", "Ask.com");
Line Found : user_pref("browser.search.defaultenginename", "Ask.com");
Line Found : user_pref("browser.search.order.1", "Ask.com");
Line Found : user_pref("browser.search.selectedEngine", "Ask.com");

[ File : C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\y80wzmpd.default\prefs.js ]

Line Found : user_pref("browser.search.defaultengine", "Ask.com");
Line Found : user_pref("browser.search.defaultenginename", "Ask.com");
Line Found : user_pref("browser.search.order.1", "Ask.com");
Line Found : user_pref("browser.search.selectedEngine", "Ask.com");

*************************

AdwCleaner[R0].txt - [9637 octets] - [05/12/2013 09:35:36]
AdwCleaner[R1].txt - [6630 octets] - [16/12/2013 19:29:13]
AdwCleaner[S0].txt - [4655 octets] - [05/12/2013 09:52:53]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [6750 octets] ##########
 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Microsoft Windows XP x86
Ran by oracle1000 on 16/12/2013 at 19:33:34.18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6A453ABC-F96D-41A1-9FDE-C25CF58FA8FD}
Successfully deleted: [Registry Key] "hkey_current_user\software\apn pip"



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted: [File] C:\Documents and Settings\admin\Application Data\mozilla\firefox\profiles\y80wzmpd.default\user.js
Successfully deleted: [File] C:\Documents and Settings\admin\Application Data\mozilla\firefox\profiles\y80wzmpd.default\searchplugins\askcom.xml





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 16/12/2013 at 19:41:22.96
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

Farbar Service Scanner Version: 05-12-2013
Ran by oracle1000 (administrator) on 16-12-2013 at 19:42:20
Running from "C:\Documents and Settings\admin\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000005000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****



#11 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:43 AM

Posted 16 December 2013 - 10:47 AM

How is the PC performing now?

#12 bughunt

bughunt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 17 December 2013 - 12:59 AM

It is still the same.Slow .

The computer sounds are long drawn out.



#13 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:43 AM

Posted 17 December 2013 - 06:31 AM

Please perform the following, so that we can get the exact specs of your computer. This will better assist us in helping you more.

Publish a Snapshot using Speccy

The below is for those who cannot get online

Please take caution when attaching a text file to your post if you cannot copy/paste the link to your post, you will need to edit it to make sure that your Windows Key is not present.

#14 bughunt

bughunt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 18 December 2013 - 10:55 PM

I am unable to get snapshot using specy my pc gets stuck a lot.

My PC is an ASUS  EEE PC 1000h bought in Taiwan.

http://www.asus.com/Notebooks_Ultrabooks/Eee_PC_1000H/#specifications

 

I am using windows XP Professional.

The PC has no other software on it.

 

should I run external scans using USB scanners ?



#15 bughunt

bughunt
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 20 December 2013 - 12:56 AM

http://speccy.piriform.com/results/O0qH8k5PxvYt7SOs8XtG4aR

 

finally did it.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users