sllydell
-
Posts
3 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by sllydell
-
-
I can't seem to get rootkit off my machine. Here are the logs from anti-malware and GMER
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-22 20:48:30
Windows 5.1.2600 Service Pack 2
Running: wv447288.exe; Driver: C:\DOCUME~1\bbuckey\LOCALS~1\Temp\pwlyiaog.sys
---- System - GMER 1.0.15 ----
INT 0x01 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F6FEE59A
INT 0x03 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F6FEE655
Code 8465D920 ZwEnumerateKey
Code 84644E68 ZwFlushInstructionCache
Code 8461DADE IofCallDriver
Code 846719EE IofCompleteRequest
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
---- Modules - GMER 1.0.15 ----
Module \systemroot\system32\drivers\H8SRTmhgtelcfig.sys (*** hidden *** ) ED666000-ED683000 (118784 bytes)
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\drivers\H8SRTmhgtelcfig.sys (*** hidden *** ) [sYSTEM] H8SRTd.sys <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTmhgtelcfig.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTmhgtelcfig.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTexclnrrvbj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTkbyktmyoly.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTinyrsdqtyv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTeacmiocqrl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTdbswaajuse.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTmhgtelcfig.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTmhgtelcfig.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTexclnrrvbj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTkbyktmyoly.dat
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTinyrsdqtyv.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTeacmiocqrl.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTdbswaajuse.dll
---- Files - GMER 1.0.15 ----
File C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll 646 bytes
File C:\Documents and Settings\bbuckey\Local Settings\Temp\h8srtmainqt.dll 0 bytes
File C:\Documents and Settings\bbuckey\Local Settings\Temp\MPSampleSubmit\h8srteacmiocqrl.dll.xor 16896 bytes
File C:\Documents and Settings\bbuckey\Local Settings\Temp\MPSampleSubmit\h8srteacmiocqrl_1.dll.xor 16896 bytes
File C:\Documents and Settings\bbuckey\Local Settings\Temp\H8SRTcfc0.tmp 343040 bytes executable
File C:\WINDOWS\system32\drivers\H8SRTmhgtelcfig.sys 40960 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\H8SRTdbswaajuse.dll 40960 bytes executable
File C:\WINDOWS\system32\H8SRTeacmiocqrl.dll 16896 bytes executable
File C:\WINDOWS\system32\H8SRTexclnrrvbj.dll 23552 bytes executable
File C:\WINDOWS\system32\H8SRTinyrsdqtyv.dll 27136 bytes executable
File C:\WINDOWS\system32\H8SRTkbyktmyoly.dat 251 bytes
File C:\WINDOWS\system32\h8srtkrl32mainweq.dll 765 bytes
File C:\WINDOWS\system32\h8srtshsyst.dll 1048 bytes
---- EOF - GMER 1.0.15 ----
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
\\?\globalroot\systemroot\system32\H8SRTeacmiocqrl.dll (Rootkit.TDSS.Gen) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
\\?\globalroot\systemroot\system32\H8SRTeacmiocqrl.dll (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
-
I have a rootkit.tdss on my machine right now and i can't seem to remove it. maleware detects a portion of the rootkit removes it on a reboot however as soon as i connect my machine to the internet it is downloaded again causing problems with firefox, my anit virus software and firewall. I don't have the logs at this time but will post them as soon as i get a chance. I was wondering if anyone
Rootkit need help
in Resolved Malware Removal Logs
Posted
When i try to run DDS it just opens and closes and doesn't produce any output. I made sure it was unblocked by right clicking on it and selecting unblock but that didn't see to do the trick. any suggestions?