Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Evil rootkit/Trojan?


  • This topic is locked This topic is locked
3 replies to this topic

#1 Sagun

Sagun

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 16 October 2014 - 11:54 PM

Hello Everyone,

 

I found this nasty bastard when i scanned my computer with aswMBR. What would be the next course of action if anti virus software were not to work. Could i use a program like AutoRun to find the source, or does it have to be done manually without software.

 

/****************************************************************

aswMBR LOG

 

 

aswMBR version 1.0.1.2041 Copyright© 2014 AVAST Software
Run date: 2014-10-16 22:23:26
-----------------------------
22:23:26.844    OS Version: Windows 6.1.7601 Service Pack 1
22:23:26.844    Number of processors: 2 586 0x4B02
22:23:26.859    ComputerName: SAGUN  UserName: 
22:23:32.101    Initialize success
22:23:32.148    VM: driver load error: 2
22:23:34.768    AVAST engine defs: 14101601
22:23:39.214    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005a
22:23:39.214    Disk 0 Vendor: WDC_WD25 10.0 Size: 238475MB BusType: 3
22:23:39.292    Disk 0 MBR read successfully
22:23:39.308    Disk 0 MBR scan
22:23:39.714    Disk 0 Windows 7 default MBR code
22:23:39.729    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       238464 MB offset 63
22:23:39.760    Disk 0 Boot: NTFS     code=2
22:23:39.854    Disk 0 scanning sectors +488376000
22:23:40.057    Disk 0 scanning C:\Windows\system32\drivers
22:24:05.902    Service scanning
22:24:41.080    Modules scanning
22:24:45.299    Disk 0 trace - called modules:
22:24:45.346    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor.sys 
22:24:45.346    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84f7e030]
22:24:45.346    3 CLASSPNP.SYS[885dc59e] -> nt!IofCallDriver -> [0x848a8450]
22:24:45.346    5 ACPI.sys[8863b3d4] -> nt!IofCallDriver -> \Device\0000005a[0x848a8030]
22:24:46.281    AVAST engine scan C:\
 
 
****************************************************************************************************************************/


BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:50 PM

Posted 20 October 2014 - 05:40 AM

:welcome:

Hello Sagun,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Logs can take a while to research, so please be patient.
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


log shows:
Disk 0 Windows 7 default MBR code
This normally means, there is no rootkit.

Which line of the log makes you feel, there is a rootkit?
 

***


1. Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


2. Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.



***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 Jo*

Jo*

  • Malware Response Team
  • 3,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:50 PM

Posted 24 October 2014 - 03:39 AM

Hi,

it has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems and still need help.

Note: Threads will be closed if no response after 3 days.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#4 Jo*

Jo*

  • Malware Response Team
  • 3,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:50 PM

Posted 26 October 2014 - 06:17 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users