| View previous topic :: View next topic |
| Author |
Message |
jd1963
Corporal
Joined: Jul 15, 2006
Posts: 73
Location: Uk
|
 Posted: Fri Aug 10, 2007 9:56 pm Post subject: i need help please i have a rootkit |
|
|
hi
i have run rootkit unhooker but dont know what to do with the results or remove anything, then i ran rootkit revealer and that showed up some hidden stuff, and i thought ok, wait, get advice, and start at the begining.
i have removed all added on applications fron add or remove programs but ad-aware 2007 wont budge, and things are in my registry in chinese, and if i put a "-" in front of a word it changes into chinese
i will run the malware programe whilst i await your response
_________________
If i can do it, then anyone can. Assert yourself, and take control
|
|
| Back to top |
|
 |
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Sat Aug 11, 2007 3:00 am Post subject: |
|
|
Please post your RKR and RKU logs, so we can see why you think you may have a rootkit.
It sounds like you may have some infections but they may not be rootkits.
You should run through our Malware Removal and Prevention Procedure, as well. Be sure to save all scan logs in case we need to review them, to assess the state of your system.
_________________
Negster22 - MS MVP - Consumer Security 2006-2008 
|
|
| Back to top |
|
|
jd1963
Corporal
Joined: Jul 15, 2006
Posts: 73
Location: Uk
|
| Posted: Sat Aug 11, 2007 6:41 am Post subject: |
|
|
hi
this is the rku log
RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.503
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
==============================================
>Shadow
==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x82FCAB98
Process: C:\Program Files\TrojanHunter 4.7\TrojanHunter.exe
Process Id: 320
EPROCESS Address: 0x82C503F8
Process: C:\WINDOWS\system32\smss.exe
Process Id: 416
EPROCESS Address: 0x82BF8030
Process: C:\WINDOWS\system32\csrss.exe
Process Id: 472
EPROCESS Address: 0x82D1D030
Process: C:\WINDOWS\system32\winlogon.exe
Process Id: 496
EPROCESS Address: 0x82DABBE8
Process: C:\WINDOWS\system32\services.exe
Process Id: 540
EPROCESS Address: 0x82DB0798
Process: C:\WINDOWS\system32\lsass.exe
Process Id: 552
EPROCESS Address: 0x82DAE798
Process: C:\WINDOWS\system32\svchost.exe
Process Id: 736
EPROCESS Address: 0x82DB1DA0
Process: C:\WINDOWS\system32\svchost.exe
Process Id: 800
EPROCESS Address: 0x82BCC790
Process: C:\WINDOWS\system32\drwtsn32.exe
Process Id: 816
EPROCESS Address: 0x82A14B88
Process: C:\WINDOWS\system32\svchost.exe
Process Id: 836
EPROCESS Address: 0x82BDB858
Process: C:\WINDOWS\system32\svchost.exe
Process Id: 960
EPROCESS Address: 0x82C133B8
Process: C:\WINDOWS\explorer.exe
Process Id: 1120
EPROCESS Address: 0x82BFA6F0
Process: C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
Process Id: 1420
EPROCESS Address: 0x82BF5DA0
Process: C:\WINDOWS\system32\locator.exe
Process Id: 1744
EPROCESS Address: 0x82D31628
Process: C:\WINDOWS\system32\drwtsn32.exe
Process Id: 1752
EPROCESS Address: 0x82AF08D8
Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1820
EPROCESS Address: 0x82C17598
Process: C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
Process Id: 1828
EPROCESS Address: 0x82B6C030
Process: C:\WINDOWS\system32\ups.exe
Process Id: 1860
EPROCESS Address: 0x82DB2370
Process: C:\WINDOWS\system32\wbem\wmiapsrv.exe
Process Id: 2072
EPROCESS Address: 0x82AE1A98
Process: C:\WINDOWS\system32\dllhost.exe
Process Id: 2532
EPROCESS Address: 0x82BF5A28
Process: C:\WINDOWS\system32\imapi.exe
Process Id: 2572
EPROCESS Address: 0x82EB29E8
Process: C:\WINDOWS\system32\svchost.exe
Process Id: 2632
EPROCESS Address: 0x82A31DA0
Process: C:\WINDOWS\system32\svchost.exe
Process Id: 2672
EPROCESS Address: 0x82BD2488
Process: C:\WINDOWS\system32\drwtsn32.exe
Process Id: 3108
EPROCESS Address: 0x82C56950
Process: C:\Program Files\Windows Media Player\wmpnetwk.exe
Process Id: 3288
EPROCESS Address: 0x82E0BCC8
Process: C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
Process Id: 3352
EPROCESS Address: 0x82C4FCE8
Process: C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
Process Id: 3576
EPROCESS Address: 0x82C49B80
Process: C:\WINDOWS\system32\alg.exe
Process Id: 3832
EPROCESS Address: 0x82E27818
Process: C:\Program Files\TrojanHunter 4.7\THGuard.exe
Process Id: 1344
EPROCESS Address: 0x82C1FBE0
Process: C:\RkUnhooker\6QUi4adf0bCHgua.exe
Process Id: 3124
EPROCESS Address: 0x82BAC718
==============================================
>Drivers
Driver: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000
Size: 2180352 bytes
Driver: PnpManager
Address: 0x804D7000
Size: 2180352 bytes
Driver: RAW
Address: 0x804D7000
Size: 2180352 bytes
Driver: WMIxWDM
Address: 0x804D7000
Size: 2180352 bytes
Driver: Win32k
Address: 0xBF800000
Size: 1847296 bytes
Driver: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000
Size: 1847296 bytes
Driver: C:\WINDOWS\System32\ialmdd5.DLL
Address: 0xBFA2E000
Size: 905216 bytes
Driver: C:\WINDOWS\System32\DRIVERS\ialmnt5.sys
Address: 0xF8110000
Size: 811008 bytes
Driver: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xF7FC9000
Size: 643072 bytes
Driver: Ntfs.sys
Address: 0xF85B7000
Size: 577536 bytes
Driver: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xEFC71000
Size: 454656 bytes
Driver: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF7F28000
Size: 364544 bytes
Driver: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xEFD55000
Size: 360448 bytes
Driver: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000
Size: 286720 bytes
Driver: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xEF5E5000
Size: 266240 bytes
Driver: ACPI.sys
Address: 0xF86E8000
Size: 188416 bytes
Driver: NDIS.sys
Address: 0xF858A000
Size: 184320 bytes
Driver: C:\WINDOWS\System32\ialmdev5.DLL
Address: 0xBFA02000
Size: 180224 bytes
Driver: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xEF25D000
Size: 176128 bytes
Driver: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xEFCE0000
Size: 176128 bytes
Driver: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xEFD2D000
Size: 163840 bytes
Driver: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF8089000
Size: 147456 bytes
Driver: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xEF0D2000
Size: 143360 bytes
Driver: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xF8066000
Size: 143360 bytes
Driver: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF80D9000
Size: 143360 bytes
Driver: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xEFD0B000
Size: 139264 bytes
Driver: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xEF0B1000
Size: 135168 bytes
Driver: ACPI_HAL
Address: 0x806EC000
Size: 131968 bytes
Driver: C:\WINDOWS\system32\hal.dll
Address: 0x806EC000
Size: 131968 bytes
Driver: fltmgr.sys
Address: 0xF8680000
Size: 131072 bytes
Driver: ftdisk.sys
Address: 0xF86B8000
Size: 126976 bytes
Driver: C:\WINDOWS\System32\ialmdnt5.dll
Address: 0xBF9E3000
Size: 126976 bytes
Driver: Mup.sys
Address: 0xF856F000
Size: 110592 bytes
Driver: atapi.sys
Address: 0xF86A0000
Size: 98304 bytes
Driver: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEFC31000
Size: 98304 bytes
Driver: C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
Address: 0xF80C1000
Size: 98304 bytes
Driver: KSecDD.sys
Address: 0xF8657000
Size: 94208 bytes
Driver: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF7FB2000
Size: 94208 bytes
Driver: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xEF8D4000
Size: 86016 bytes
Driver: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF80AD000
Size: 81920 bytes
Driver: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xF80FC000
Size: 81920 bytes
Driver: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xEFDAD000
Size: 77824 bytes
Driver: WudfPf.sys
Address: 0xF8644000
Size: 77824 bytes
Driver: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000
Size: 73728 bytes
Driver: sr.sys
Address: 0xF866E000
Size: 73728 bytes
Driver: C:\WINDOWS\system32\drivers\tmcomm.sys
Address: 0xEF4E3000
Size: 73728 bytes
Driver: pci.sys
Address: 0xF86D7000
Size: 69632 bytes
Driver: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF7FA1000
Size: 69632 bytes
Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF87F7000
Size: 65536 bytes
Driver: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xF88D7000
Size: 65536 bytes
Driver: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF88E7000
Size: 61440 bytes
Driver: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF8917000
Size: 61440 bytes
Driver: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xEF9A9000
Size: 61440 bytes
Driver: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF8997000
Size: 61440 bytes
Driver: C:\WINDOWS\System32\ialmrnt5.dll
Address: 0xBF9D5000
Size: 57344 bytes
Driver: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF8907000
Size: 53248 bytes
Driver: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF8777000
Size: 53248 bytes
Driver: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF88C7000
Size: 53248 bytes
Driver: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF8927000
Size: 53248 bytes
Driver: VolSnap.sys
Address: 0xF8757000
Size: 53248 bytes
Driver: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF8947000
Size: 49152 bytes
Driver: C:\WINDOWS\System32\Drivers\Imapi.SYS
Address: 0xF88F7000
Size: 45056 bytes
Driver: MountMgr.sys
Address: 0xF8747000
Size: 45056 bytes
Driver: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF8937000
Size: 45056 bytes
Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF8977000
Size: 40960 bytes
Driver: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF8967000
Size: 40960 bytes
Driver: disk.sys
Address: 0xF8767000
Size: 36864 bytes
Driver: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF87A7000
Size: 36864 bytes
Driver: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
Address: 0xEFAA9000
Size: 36864 bytes
Driver: isapnp.sys
Address: 0xF8737000
Size: 36864 bytes
Driver: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF8957000
Size: 36864 bytes
Driver: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF8797000
Size: 36864 bytes
Driver: C:\WINDOWS\System32\DRIVERS\processr.sys
Address: 0xF88B7000
Size: 36864 bytes
Driver: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF87B7000
Size: 36864 bytes
Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF8AA7000
Size: 32768 bytes
Driver: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF8A5F000
Size: 28672 bytes
Driver: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF89B7000
Size: 28672 bytes
Driver: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xF8A47000
Size: 28672 bytes
Driver: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF8A4F000
Size: 24576 bytes
Driver: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF8A57000
Size: 24576 bytes
Driver: C:\WINDOWS\System32\Drivers\rkhdrv40.SYS
Address: 0xF8B37000
Size: 24576 bytes
Driver: C:\WINDOWS\System32\Drivers\StarOpen.SYS
Address: 0xF8AAF000
Size: 24576 bytes
Driver: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF8A97000
Size: 24576 bytes
Driver: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xF8A87000
Size: 20480 bytes
Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF8A9F000
Size: 20480 bytes
Driver: PartMgr.sys
Address: 0xF89BF000
Size: 20480 bytes
Driver: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF8A6F000
Size: 20480 bytes
Driver: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF8A77000
Size: 20480 bytes
Driver: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF8A67000
Size: 20480 bytes
Driver: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xF8A3F000
Size: 20480 bytes
Driver: C:\WINDOWS\System32\watchdog.sys
Address: 0xF8AE7000
Size: 20480 bytes
Driver: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF8C0B000
Size: 16384 bytes
Driver: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xF8BE7000
Size: 16384 bytes
Driver: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF8B47000
Size: 12288 bytes
Driver: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF8BD3000
Size: 12288 bytes
Driver: C:\WINDOWS\System32\DRIVERS\gameenum.sys
Address: 0xF8BEF000
Size: 12288 bytes
Driver: C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
Address: 0xEF91D000
Size: 12288 bytes
Driver: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF8BF7000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\drivers\NSDriver.sys
Address: 0xEF4B3000
Size: 12288 bytes
Driver: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF81FA000
Size: 12288 bytes
Driver: C:\WINDOWS\system32\30.tmp
Address: 0xF8CE1000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\drivers\AWRTPD.sys
Address: 0xF8CD5000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF8C61000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8C6B000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF8C5F000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF8C37000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF8C63000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF8C95000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\Drivers\PROCEXP100.SYS
Address: 0xF8CEF000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF8C65000
Size: 8192 bytes
Driver: C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS
Address: 0xF8C4D000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF8C5B000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF8C5D000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xF8C39000
Size: 8192 bytes
Driver: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF8E1F000
Size: 4096 bytes
Driver: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF8E86000
Size: 4096 bytes
Driver: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF8D9C000
Size: 4096 bytes
Driver: C:\WINDOWS\system32\drivers\msmpu401.sys
Address: 0xF8E1D000
Size: 4096 bytes
Driver: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF8D0F000
Size: 4096 bytes
Driver: pciide.sys
Address: 0xF8CFF000
Size: 4096 bytes
==============================================
>Stealth
==============================================
>Files
Suspect File: C:\Documents and Settings\jimbob\Local Settings\History\History.IE5\MSHist012007080920070810\index.dat Status: Hidden
Suspect File: C:\Documents and Settings\jimbob\Local Settings\Temp\~DF692D.tmp Status: Hidden
Suspect File: C:\hjt\hijackthis\hijackthis.log Status: Hidden
Suspect File: C:\hjt\hijackthis\hijackthisaug.log Status: Hidden
Suspect File: C:\hjt\hijackthis\startuplistaug.txt Status: Hidden
Suspect File: C:\WINDOWS\Prefetch\HJT.EXE-23109BCE.pf Status: Hidden
Suspect File: C:\WINDOWS\Prefetch\JFLPZQ.EXE-3B0E4338.pf Status: Hidden
Suspect File: C:\WINDOWS\Prefetch\SXBQKK.EXE-1ED47FBC.pf Status: Hidden
Suspect File: C:\WINDOWS\Prefetch\VNKTGK.EXE-0594B5AA.pf Status: Hidden
Suspect File: C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A36D8FDD-2DCA-4983-88F7-115E9CC2AE68}.crmlog Status: Hidden
Suspect File: C:\WINDOWS\system32\dllhost.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA Status: Hidden
Suspect File: C:\WINDOWS\system32\wbem\Logs\wbemess.log Status: Hidden
==============================================
>Hooks
_________________
If i can do it, then anyone can. Assert yourself, and take control
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
|
| Back to top |
|
|
jd1963
Corporal
Joined: Jul 15, 2006
Posts: 73
Location: Uk
|
| Posted: Sat Aug 11, 2007 11:23 pm Post subject: |
|
|
hi
here is the rkr log. couldnt find the original one so this is a fresh one,
HKLM\SECURITY\Policy\Secrets\SAC* 15/08/2002 20:33 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 15/08/2002 20:33 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\Software\Microsoft\Multimedia\Components\Installed\playback_wmfsdk\Uninstall 09/08/2007 05:46 0 bytes Security mismatch.
i shall place a hjt log as asked
thanks
jd
_________________
If i can do it, then anyone can. Assert yourself, and take control
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Mon Aug 13, 2007 2:34 am Post subject: |
|
|
A fresh log is preferable anyway.
All those entries are harmless and not from a rootkit.
I'll give you some more directions in the HJT forum.
_________________
Negster22 - MS MVP - Consumer Security 2006-2008
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Sat Aug 25, 2007 1:02 am Post subject: |
|
|
Since the rootkit part of this analysis is complete, I am marking this topic as done.
_________________
Negster22 - MS MVP - Consumer Security 2006-2008
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
Please follow these directions for posting a HJT log: