Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Rootkits issues Or something else?

  • Please log in to reply
4 replies to this topic

#1 Annie55


  • Members
  • 32 posts
  • Local time:09:38 PM

Posted 24 March 2016 - 08:19 PM

After getting a message at the screen when logging in yesterday, saying "Ghost program (rootkit) or virus", then Avast (free version) started a scan automatically and I wasnt able to se any report and still cant find any. Then my laptop shut itself down, even in a safe mode and when trying to find soultions in here, I first tried to download Emnisoft? but it didnt work, then I runned Rkill and it got stucked at the point "searching for misc actions", then I tried to run the rootpeal, and it stopped and got stucked already at first scan and when running the MBAM, my computor shuts down. I can past the scan reports (the half ones) later if needed. Now I´m in a safe mode and my security center i taken down and I cant activate my Avast online scan. Is there anyone out there who´s able to help what to do next? Would so appreciate some advises.   

BC AdBot (Login to Remove)


#2 mjd420nova


  • Members
  • 1,886 posts
  • Gender:Male
  • Local time:11:38 AM

Posted 24 March 2016 - 08:33 PM

One of the first things these nasties do is block all protection programs from running, or just locking up.  Anti-virus, spam, pop up, ETC and firewalls will get taken over and blocked from stopping the virus(whatever) from calling home to sell all your info.  Isolate the unit,  Pull the CAT5 cable, block the WIFI, whatever.  Then boot to the BIOS and set it for factory reset and boot to the safe mode and run all cleanup software from there.  Once convinced it's clean, boot without networking and see how it acts, if okay then, let it have access to the network and monitor the operation.

#3 Annie55

  • Topic Starter

  • Members
  • 32 posts
  • Local time:09:38 PM

Posted 26 March 2016 - 06:56 AM

Thanks for yr reply, I have difficulties even start the computor and .I am not very skilled in doing all the things you suggest but will give it a try if I can get the lap top to work to that point. (quite an old lap top) How can I isolate a unit that is not found (the Avast doesnt find it) and other scans I tried stops? When the comp didt start at all, I tried a recovery (not to factory settings although) Might do that later, for now, when able to log on again-suddenly, I am trying to save pictures etc. Any other suggestions than factory resetting? It might be its better to let this lap top rest forever...P.s if any reply or assistance from support in this issue, my reply might be delayed if I cannot again log in/start this computor D.s

#4 Annie55

  • Topic Starter

  • Members
  • 32 posts
  • Local time:09:38 PM

Posted 26 March 2016 - 01:31 PM

I managed to do a reset to an earlier point and are now able to log in and start my lap top, the Avast seems to run and says everything is ok. How sure can I be on this? I need to do some things in om ny internet bank, but hesitate because of the latest issues. Is there anything I can do, any suggestions of scans to do trying to find if there is a rootkit "problem" or not? Would so appreciate some help from someone who is better than me on those things. Here`s the one part scan report I got from Roorepeal before the program freezed:


ROOTREPEAL © AD, 2007-2009
Scan Start Time:        2016/03/24 02:09
Program Version:        Version
Windows Version:        Windows Vista SP2

Name: acpi.sys
Image Path: C:\Windows\system32\drivers\acpi.sys
Address: 0x83696000    Size: 286720    File Visible: -    Signed: -
Status: -

Image Path: \Driver\ACPI_HAL
Address: 0x83003000    Size: 3911680    File Visible: -    Signed: -
Status: -

Name: afd.sys
Image Path: C:\Windows\system32\drivers\afd.sys
Address: 0x8D52C000    Size: 294912    File Visible: -    Signed: -
Status: -

Name: aswRdr.sys
Image Path: C:\Windows\system32\drivers\aswRdr.sys
Address: 0x8D574000    Size: 45440    File Visible: -    Signed: -
Status: -

Name: atapi.sys
Image Path: C:\Windows\system32\drivers\atapi.sys
Address: 0x88CD6000    Size: 32768    File Visible: -    Signed: -
Status: -

Name: ataport.SYS
Image Path: C:\Windows\system32\drivers\ataport.SYS
Address: 0x88CDE000    Size: 122880    File Visible: -    Signed: -
Status: -

Name: athr.sys
Image Path: C:\Windows\system32\DRIVERS\athr.sys
Address: 0x8D28D000    Size: 1200128    File Visible: -    Signed: -
Status: -

Image Path: C:\Windows\System32\ATMFD.DLL
Address: 0x828D0000    Size: 319488    File Visible: -    Signed: -
Status: -

Image Path: C:\Windows\system32\DRIVERS\BATTC.SYS
Address: 0x83727000    Size: 40960    File Visible: -    Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\Windows\System32\Drivers\Beep.SYS
Address: 0x8D498000    Size: 28672    File Visible: -    Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\Windows\system32\BOOTVID.dll
Address: 0x8068B000    Size: 32768    File Visible: -    Signed: -
Status: -

Name: bowser.sys
Image Path: C:\Windows\system32\DRIVERS\bowser.sys
Address: 0x8D9D3000    Size: 102400    File Visible: -    Signed: -
Status: -

Name: cdfs.sys
Image Path: C:\Windows\system32\DRIVERS\cdfs.sys
Address: 0x89188000    Size: 90112    File Visible: -    Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\Windows\system32\DRIVERS\cdrom.sys
Address: 0x88FB9000    Size: 98304    File Visible: -    Signed: -
Status: -

Name: CI.dll
Image Path: C:\Windows\system32\CI.dll
Address: 0x806D4000    Size: 917504    File Visible: -    Signed: -
Status: -

Image Path: C:\Windows\system32\drivers\CLASSPNP.SYS
Address: 0x89398000    Size: 135168    File Visible: -    Signed: -
Status: -

Image Path: C:\Windows\system32\CLFS.SYS
Address: 0x80693000    Size: 266240    File Visible: -    Signed: -
Status: -

Name: compbatt.sys
Image Path: C:\Windows\system32\DRIVERS\compbatt.sys
Address: 0x83724000    Size: 10496    File Visible: -    Signed: -
Status: -

Name: crashdmp.sys
Image Path: C:\Windows\System32\Drivers\crashdmp.sys
Address: 0x8D8AD000    Size: 53248    File Visible: -    Signed: -
Status: -

Name: crcdisk.sys
Image Path: C:\Windows\system32\drivers\crcdisk.sys
Address: 0x893B9000    Size: 36864    File Visible: -    Signed: -
Status: -

Name: dfsc.sys
Image Path: C:\Windows\System32\Drivers\dfsc.sys
Address: 0x8D854000    Size: 94208    File Visible: -    Signed: -
Status: -

Name: disk.sys
Image Path: C:\Windows\system32\drivers\disk.sys
Address: 0x89387000    Size: 69632    File Visible: -    Signed: -
Status: -

Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x8D8BA000    Size: 815104    File Visible: No    Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\Windows\System32\drivers\Dxapi.sys
Address: 0x8D981000    Size: 40960    File Visible: -    Signed: -
Status: -

Name: dxg.sys
Image Path: C:\Windows\System32\drivers\dxg.sys
Address: 0x82810000    Size: 94208    File Visible: -    Signed: -
Status: -

Name: ecache.sys
Image Path: C:\Windows\System32\drivers\ecache.sys
Address: 0x89360000    Size: 159744    File Visible: -    Signed: -
Status: -

Name: fileinfo.sys
Image Path: C:\Windows\system32\drivers\fileinfo.sys
Address: 0x88D2E000    Size: 65536    File Visible: -    Signed: -
Status: -

Name: fltmgr.sys
Image Path: C:\Windows\system32\drivers\fltmgr.sys
Address: 0x88CFC000    Size: 204800    File Visible: -    Signed: -
Status: -

Name: framebuf.dll
Image Path: C:\Windows\System32\framebuf.dll
Address: 0x828C0000    Size: 32768    File Visible: -    Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\Windows\System32\Drivers\Fs_Rec.SYS
Address: 0x8D488000    Size: 36864    File Visible: -    Signed: -
Status: -

Name: fwpkclnt.sys
Image Path: C:\Windows\System32\drivers\fwpkclnt.sys
Address: 0x890FC000    Size: 110592    File Visible: -    Signed: -
Status: -

Name: hal.dll
Image Path: C:\Windows\system32\hal.dll
Address: 0x833BE000    Size: 208896    File Visible: -    Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\Windows\system32\DRIVERS\HDAudBus.sys
Address: 0x8D200000    Size: 577536    File Visible: -    Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\Windows\system32\DRIVERS\i8042prt.sys
Address: 0x8D3B2000    Size: 77824    File Visible: -    Signed: -
Status: -

Name: iastor.sys
Image Path: C:\Windows\system32\drivers\iastor.sys
Address: 0x88C0F000    Size: 815104    File Visible: -    Signed: -
Status: -

Name: intelide.sys
Image Path: C:\Windows\system32\drivers\intelide.sys
Address: 0x8378A000    Size: 28672    File Visible: -    Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\Windows\system32\DRIVERS\kbdclass.sys
Address: 0x8D3C5000    Size: 45056    File Visible: -    Signed: -
Status: -

Name: kdcom.dll
Image Path: C:\Windows\system32\kdcom.dll
Address: 0x80603000    Size: 28672    File Visible: -    Signed: -
Status: -

Name: ks.sys
Image Path: C:\Windows\system32\DRIVERS\ks.sys
Address: 0x8D401000    Size: 172032    File Visible: -    Signed: -
Status: -

Name: ksecdd.sys
Image Path: C:\Windows\System32\Drivers\ksecdd.sys
Address: 0x88D3E000    Size: 466944    File Visible: -    Signed: -
Status: -

Name: mcupdate_GenuineIntel.dll
Image Path: C:\Windows\system32\mcupdate_GenuineIntel.dll
Address: 0x8060A000    Size: 458752    File Visible: -    Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\Windows\system32\DRIVERS\mouclass.sys
Address: 0x891ED000    Size: 45056    File Visible: -    Signed: -
Status: -

Name: mountmgr.sys
Image Path: C:\Windows\System32\drivers\mountmgr.sys
Address: 0x8379F000    Size: 65536    File Visible: -    Signed: -
Status: -

Name: mpsdrv.sys
Image Path: C:\Windows\System32\drivers\mpsdrv.sys
Address: 0x8D5D6000    Size: 86016    File Visible: -    Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb.sys
Address: 0x89117000    Size: 126976    File Visible: -    Signed: -
Status: -

Name: mrxsmb10.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb10.sys
Address: 0x89136000    Size: 237568    File Visible: -    Signed: -
Status: -

Name: mrxsmb20.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb20.sys
Address: 0x89170000    Size: 98304    File Visible: -    Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\Windows\System32\Drivers\Msfs.SYS
Address: 0x8D4E0000    Size: 45056    File Visible: -    Signed: -
Status: -

Name: msisadrv.sys
Image Path: C:\Windows\system32\drivers\msisadrv.sys
Address: 0x836E5000    Size: 32768    File Visible: -    Signed: -
Status: -

Name: msiscsi.sys
Image Path: C:\Windows\system32\DRIVERS\msiscsi.sys
Address: 0x88FD1000    Size: 192512    File Visible: -    Signed: -
Status: -

Name: msrpc.sys
Image Path: C:\Windows\system32\drivers\msrpc.sys
Address: 0x88F15000    Size: 176128    File Visible: -    Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\Windows\system32\DRIVERS\mssmbios.sys
Address: 0x8D42B000    Size: 40960    File Visible: -    Signed: -
Status: -

Name: mup.sys
Image Path: C:\Windows\System32\Drivers\mup.sys
Address: 0x89351000    Size: 61440    File Visible: -    Signed: -
Status: -

Name: ndis.sys
Image Path: C:\Windows\system32\drivers\ndis.sys
Address: 0x88E0A000    Size: 1093632    File Visible: -    Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\Windows\system32\DRIVERS\ndistapi.sys
Address: 0x88DF1000    Size: 45056    File Visible: -    Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\Windows\system32\DRIVERS\ndisuio.sys
Address: 0x8D9C9000    Size: 40960    File Visible: -    Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\Windows\system32\DRIVERS\ndiswan.sys
Address: 0x837C6000    Size: 143360    File Visible: -    Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\Windows\System32\Drivers\NDProxy.SYS
Address: 0x8D477000    Size: 69632    File Visible: -    Signed: -
Status: -

Name: netbios.sys
Image Path: C:\Windows\system32\DRIVERS\netbios.sys
Address: 0x8D5C8000    Size: 57344    File Visible: -    Signed: -
Status: -

Name: netbt.sys
Image Path: C:\Windows\System32\DRIVERS\netbt.sys
Address: 0x8D580000    Size: 204800    File Visible: -    Signed: -
Status: -

Image Path: C:\Windows\system32\drivers\NETIO.SYS
Address: 0x88F40000    Size: 241664    File Visible: -    Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\Windows\System32\Drivers\Npfs.SYS
Address: 0x8D4EB000    Size: 57344    File Visible: -    Signed: -
Status: -

Name: nsiproxy.sys
Image Path: C:\Windows\system32\drivers\nsiproxy.sys
Address: 0x8D84A000    Size: 40960    File Visible: -    Signed: -
Status: -

Name: Ntfs.sys
Image Path: C:\Windows\System32\Drivers\Ntfs.sys
Address: 0x89200000    Size: 1114112    File Visible: -    Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\Windows\system32\ntkrnlpa.exe
Address: 0x83003000    Size: 3911680    File Visible: -    Signed: -
Status: -

Name: Null.SYS
Image Path: C:\Windows\System32\Drivers\Null.SYS
Address: 0x8D491000    Size: 28672    File Visible: -    Signed: -
Status: -

Name: nwifi.sys
Image Path: C:\Windows\system32\DRIVERS\nwifi.sys
Address: 0x8D99F000    Size: 172032    File Visible: -    Signed: -
Status: -

Name: pacer.sys
Image Path: C:\Windows\system32\DRIVERS\pacer.sys
Address: 0x8D5B2000    Size: 90112    File Visible: -    Signed: -
Status: -

Name: partmgr.sys
Image Path: C:\Windows\System32\drivers\partmgr.sys
Address: 0x83714000    Size: 65536    File Visible: -    Signed: -
Status: -

Name: pci.sys
Image Path: C:\Windows\system32\drivers\pci.sys
Address: 0x836ED000    Size: 159744    File Visible: -    Signed: -
Status: -

Image Path: C:\Windows\system32\drivers\PCIIDEX.SYS
Address: 0x83791000    Size: 57344    File Visible: -    Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x83003000    Size: 3911680    File Visible: -    Signed: -
Status: -

Name: PSHED.dll
Image Path: C:\Windows\system32\PSHED.dll
Address: 0x8067A000    Size: 69632    File Visible: -    Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\Windows\System32\DRIVERS\rasacd.sys
Address: 0x8D4F9000    Size: 36864    File Visible: -    Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\Windows\system32\DRIVERS\rasl2tp.sys
Address: 0x837AF000    Size: 94208    File Visible: -    Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\Windows\system32\DRIVERS\raspppoe.sys
Address: 0x88C00000    Size: 61440    File Visible: -    Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\Windows\system32\DRIVERS\raspptp.sys
Address: 0x837E9000    Size: 81920    File Visible: -    Signed: -
Status: -

Name: rassstp.sys
Image Path: C:\Windows\system32\DRIVERS\rassstp.sys
Address: 0x807B4000    Size: 86016    File Visible: -    Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x83003000    Size: 3911680    File Visible: -    Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\Windows\system32\DRIVERS\rdbss.sys
Address: 0x8D80E000    Size: 245760    File Visible: -    Signed: -
Status: -

Name: rdpencdd.sys
Image Path: C:\Windows\system32\drivers\rdpencdd.sys



I will try and run another Rkill and post the log in here later.

#5 Annie55

  • Topic Starter

  • Members
  • 32 posts
  • Local time:09:38 PM

Posted 26 March 2016 - 01:50 PM

This is what the Rkill says:



Rkill 2.8.3 by Lawrence Abrams (Grinler)
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:

Program started at: 03/26/2016 07:35:28 PM in x86 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:       localhost
  ::1             localhost

Program finished at: 03/26/2016 07:40:23 PM
Execution time: 0 hours(s), 4 minute(s), and 55 seconds(s)

 So nothing there I assume or it didnt find it. Still asking for help to do some other scans that could suit.

In addition I can say I have had the typical signs but ignored it somewhat, the massive spam emailing, VERY sluggish computor, even after defrag and cleanups. Cursor moving, redirected at sites, and the screen message yeysterday (came after I did a C: harddrive healthreport during night) when starting up the lap top saying (in swedish "ghost programme or virus"?) "Rootkit or virus" and then Avast started scanning by itself, but nothing was found. But by then I finally understud there really is something wrong. (I have felt it somehow, but since every scan I did found nothing, I dropped it and tried live with a sluggish comp) Anyone out there that could guide me pls?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users