Jump to content

win32k.sys:1 and win32k.sys:2??


Recommended Posts

Hello. My bosses computer recently was infected with AVcare. i deleted the avcare files, and the alerts stopped showing up, and no more AVcare files can be found, but i am still unable to run MBAM or McAfee. Using RootRepeal i found win32k.sys:1 and win32k.sys:2, both of which i was unable to remove with RootRepeal, and was unable to see with Xenon File manager. I tried renaming MBAM, and it ran for a few seconds before it was closed. I have been unable to install HijackThis. Thanks in advance for your help!

Avenger Log:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "{79007602-0CDB-4405-9DBF-1257BB3226ED}" found!

ImagePath: \systemroot\win32k.sys:1

Driver disable failed!

Start Type: 3 (Manual)

Rootkit scan completed.

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

i have downloaded and am currently running a boot cd created by secured2k from mcafee. when running mcafee VS it found uac68c6.tmp calling it the DNSChanger!ba trojan. also it found C:\Documents and Settings\*username*\Local Settings\Temp\RarSFX0\42jmg.exe and said "the file could not be opened".

Link to post
Share on other sites

after the Mcafee VS ran this is the report it gave me. I renamed the mbam.exe to eatthis.exe and now i am unable to even rename it.

McAfee VirusScan for Win32 v5.30.0

Copyright © 1992-2008 McAfee, Inc. All rights reserved.

(408) 988-3832 LICENSED COPY - Jun 16 2008

This product is fully supported.

This engine is fully supported.

Shell: 12.11 Build: 119

Engine: V5300.2777

Scan engine v5.3.00 for Win32.

Virus data file v5700 created Aug 06 2009

Scanning for 543519 viruses, trojans and variants.

08/07/2009 10:19:26

Options:

/LOAD VSRE.OPT

Scanning C: [sQ003914]

Scanning C:\*.*

C:\Documents and Settings\John DeVore\Local Settings\Temp\RarSFX0\42jmg.exe ... file could not be opened.

C:\Documents and Settings\John DeVore\Local Settings\Temp\UAC68c6.tmp ... Found the DNSChanger!ba trojan !!!

The file has been deleted.

C:\Program Files\AskSBar\bar\1.bin\A2HIGHIN.EXE ... Found potentially unwanted program ASKToolbar.

The file has been deleted.

C:\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL ... Found potentially unwanted program ASKToolbar.dll.

The file has been deleted.

C:\Program Files\AskSBar\bar\1.bin\NPASKSBR.DLL ... Found potentially unwanted program ASKToolbar.dll.

The file has been deleted.

C:\Program Files\Malwarebytes' Anti-Malware\eatthis.exe ... file could not be opened.

C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF} ... file could not be opened.

C:\WINDOWS\system32\drivers\UACyroruyabdw.sys ... Found the Generic FakeAlert!bd trojan !!!

The file has been deleted.

C:\WINDOWS\system32\dumprep.exe ... file could not be opened.

C:\WINDOWS\system32\UACkrigwrtevp.dll ... Found the Generic FakeAlert.k trojan !!!

The file has been deleted.

Summary report on C:\*.*

File(s)

Total files: ........... 140800

Clean: ................. 140794

Possibly Infected: ..... 3

Cleaned: ............... 0

Moved: ................. 0

Deleted: ............... 6

Non-critical Error(s): 1

Master Boot Record(s): ......... 1

Possibly Infected: ..... 0

Boot Sector(s): ................ 1

Possibly Infected: ..... 0

Scanning M: [boot]

Scanning M:\*.*

Summary report on M:\*.*

File(s)

Total files: ........... 18

Clean: ................. 18

Possibly Infected: ..... 0

Cleaned: ............... 0

Moved: ................. 0

Master Boot Record(s): ......... 1

Possibly Infected: ..... 0

Boot Sector(s): ................ 1

Possibly Infected: ..... 0

Time: 01:01.59

Error Code Returned: 13

Link to post
Share on other sites

Here is my most recent scan with RootRepeal.

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/07 11:56

Program Version: Version 1.3.3.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: 1394BUS.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS

Address: 0xF7503000 Size: 57344 File Visible: - Signed: -

Status: -

Name: ACPI.sys

Image Path: ACPI.sys

Address: 0xF7494000 Size: 187776 File Visible: - Signed: -

Status: -

Name: ACPI_HAL

Image Path: \Driver\ACPI_HAL

Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -

Status: -

Name: ACPIEC.sys

Image Path: ACPIEC.sys

Address: 0xF78FF000 Size: 11648 File Visible: - Signed: -

Status: -

Name: AFS2K.SYS

Image Path: C:\WINDOWS\System32\Drivers\AFS2K.SYS

Address: 0xF75A3000 Size: 35840 File Visible: - Signed: -

Status: -

Name: Apfiltr.sys

Image Path: C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

Address: 0xF7253000 Size: 98784 File Visible: - Signed: -

Status: -

Name: atapi.sys

Image Path: atapi.sys

Address: 0xF742E000 Size: 96512 File Visible: - Signed: -

Status: -

Name: BATTC.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS

Address: 0xF78FB000 Size: 16384 File Visible: - Signed: -

Status: -

Name: Beep.SYS

Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS

Address: 0xF7A01000 Size: 4224 File Visible: - Signed: -

Status: -

Name: BOOTVID.dll

Image Path: C:\WINDOWS\system32\BOOTVID.dll

Address: 0xF78F3000 Size: 12288 File Visible: - Signed: -

Status: -

Name: Cdfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Address: 0xF70B8000 Size: 63744 File Visible: - Signed: -

Status: -

Name: cdrom.sys

Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys

Address: 0xF75B3000 Size: 62976 File Visible: - Signed: -

Status: -

Name: CLASSPNP.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Address: 0xF7543000 Size: 53248 File Visible: - Signed: -

Status: -

Name: compbatt.sys

Image Path: compbatt.sys

Address: 0xF78F7000 Size: 10240 File Visible: - Signed: -

Status: -

Name: disk.sys

Image Path: disk.sys

Address: 0xF7533000 Size: 36352 File Visible: - Signed: -

Status: -

Name: drvmcdb.sys

Image Path: drvmcdb.sys

Address: 0xF73F8000 Size: 86208 File Visible: - Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF7110000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7A13000 Size: 8192 File Visible: No Signed: -

Status: -

Name: Dxapi.sys

Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys

Address: 0xF71CA000 Size: 12288 File Visible: - Signed: -

Status: -

Name: dxg.sys

Image Path: C:\WINDOWS\System32\drivers\dxg.sys

Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -

Status: -

Name: dxgthk.sys

Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys

Address: 0xF7B89000 Size: 4096 File Visible: - Signed: -

Status: -

Name: EMS7SK.sys

Image Path: C:\WINDOWS\system32\DRIVERS\EMS7SK.sys

Address: 0xF7563000 Size: 57984 File Visible: - Signed: -

Status: -

Name: ESD7SK.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ESD7SK.sys

Address: 0xF7573000 Size: 37248 File Visible: - Signed: -

Status: -

Name: ESM7SK.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ESM7SK.sys

Address: 0xF726C000 Size: 74112 File Visible: - Signed: -

Status: -

Name: Fastfat.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS

Address: 0xF7128000 Size: 143744 File Visible: - Signed: -

Status: -

Name: fltmgr.sys

Image Path: fltmgr.sys

Address: 0xF740E000 Size: 129792 File Visible: - Signed: -

Status: -

Name: framebuf.dll

Image Path: C:\WINDOWS\System32\framebuf.dll

Address: 0xBFF50000 Size: 12288 File Visible: - Signed: -

Status: -

Name: Fs_Rec.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Address: 0xF79FD000 Size: 7936 File Visible: - Signed: -

Status: -

Name: ftdisk.sys

Image Path: ftdisk.sys

Address: 0xF7446000 Size: 125056 File Visible: - Signed: -

Status: -

Name: hal.dll

Image Path: C:\WINDOWS\system32\hal.dll

Address: 0x806EE000 Size: 131840 File Visible: - Signed: -

Status: -

Name: HIDCLASS.SYS

Image Path: C:\WINDOWS\System32\Drivers\HIDCLASS.SYS

Address: 0xF7613000 Size: 36864 File Visible: - Signed: -

Status: -

Name: HIDPARSE.SYS

Image Path: C:\WINDOWS\System32\Drivers\HIDPARSE.SYS

Address: 0xF786B000 Size: 28672 File Visible: - Signed: -

Status: -

Name: i8042prt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys

Address: 0xF7583000 Size: 52480 File Visible: - Signed: -

Status: -

Name: imapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys

Address: 0xF7593000 Size: 42112 File Visible: - Signed: -

Status: -

Name: intelide.sys

Image Path: intelide.sys

Address: 0xF79E7000 Size: 5504 File Visible: - Signed: -

Status: -

Name: isapnp.sys

Image Path: isapnp.sys

Address: 0xF74E3000 Size: 37248 File Visible: - Signed: -

Status: -

Name: iviaspi.sys

Image Path: C:\WINDOWS\system32\drivers\iviaspi.sys

Address: 0xF77BB000 Size: 20992 File Visible: - Signed: -

Status: -

Name: kbdclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys

Address: 0xF78C3000 Size: 24576 File Visible: - Signed: -

Status: -

Name: KDCOM.DLL

Image Path: C:\WINDOWS\system32\KDCOM.DLL

Address: 0xF79E3000 Size: 8192 File Visible: - Signed: -

Status: -

Name: ks.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys

Address: 0xF7230000 Size: 143360 File Visible: - Signed: -

Status: -

Name: KSecDD.sys

Image Path: KSecDD.sys

Address: 0xF73E1000 Size: 92288 File Visible: - Signed: -

Status: -

Name: LHidFlt2.Sys

Image Path: C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys

Address: 0xF78AB000 Size: 24320 File Visible: - Signed: -

Status: -

Name: LHidUsb.Sys

Image Path: C:\WINDOWS\System32\Drivers\LHidUsb.Sys

Address: 0xF7603000 Size: 33504 File Visible: - Signed: -

Status: -

Name: LMouFlt2.Sys

Image Path: C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys

Address: 0xF7623000 Size: 63328 File Visible: - Signed: -

Status: -

Name: meiudf.sys

Image Path: C:\WINDOWS\System32\Drivers\meiudf.sys

Address: 0xF715D000 Size: 102112 File Visible: - Signed: -

Status: -

Name: mouclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys

Address: 0xF78EB000 Size: 23040 File Visible: - Signed: -

Status: -

Name: mouhid.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys

Address: 0xF72B7000 Size: 12160 File Visible: - Signed: -

Status: -

Name: MountMgr.sys

Image Path: MountMgr.sys

Address: 0xF7513000 Size: 42368 File Visible: - Signed: -

Status: -

Name: Msfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS

Address: 0xF77DB000 Size: 19072 File Visible: - Signed: -

Status: -

Name: mssmbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys

Address: 0xF798B000 Size: 15488 File Visible: - Signed: -

Status: -

Name: Mup.sys

Image Path: Mup.sys

Address: 0xF730D000 Size: 105344 File Visible: - Signed: -

Status: -

Name: NDIS.sys

Image Path: NDIS.sys

Address: 0xF7327000 Size: 182656 File Visible: - Signed: -

Status: -

Name: Npfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS

Address: 0xF77EB000 Size: 30848 File Visible: - Signed: -

Status: -

Name: Ntfs.sys

Image Path: Ntfs.sys

Address: 0xF7354000 Size: 574976 File Visible: - Signed: -

Status: -

Name: ntoskrnl.exe

Image Path: C:\WINDOWS\system32\ntoskrnl.exe

Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -

Status: -

Name: Null.SYS

Image Path: C:\WINDOWS\System32\Drivers\Null.SYS

Address: 0xF7B17000 Size: 2944 File Visible: - Signed: -

Status: -

Name: ohci1394.sys

Image Path: ohci1394.sys

Address: 0xF74F3000 Size: 61696 File Visible: - Signed: -

Status: -

Name: OPRGHDLR.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS

Address: 0xF7AAC000 Size: 4096 File Visible: - Signed: -

Status: -

Name: PartMgr.sys

Image Path: PartMgr.sys

Address: 0xF776B000 Size: 19712 File Visible: - Signed: -

Status: -

Name: pci.sys

Image Path: pci.sys

Address: 0xF7483000 Size: 68224 File Visible: - Signed: -

Status: -

Name: pciide.sys

Image Path: pciide.sys

Address: 0xF7AAB000 Size: 3328 File Visible: - Signed: -

Status: -

Name: PCIIDEX.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Address: 0xF7763000 Size: 28672 File Visible: - Signed: -

Status: -

Name: pcmcia.sys

Image Path: pcmcia.sys

Address: 0xF7465000 Size: 120192 File Visible: - Signed: -

Status: -

Name: pfc.sys

Image Path: C:\WINDOWS\system32\drivers\pfc.sys

Address: 0xF77A3000 Size: 21248 File Visible: - Signed: -

Status: -

Name: PnpManager

Image Path: \Driver\PnpManager

Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -

Status: -

Name: PxHelp20.sys

Image Path: PxHelp20.sys

Address: 0xF7773000 Size: 20000 File Visible: - Signed: -

Status: -

Name: RAW

Image Path: \FileSystem\RAW

Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -

Status: -

Name: redbook.sys

Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys

Address: 0xF75C3000 Size: 57600 File Visible: - Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xF7663000 Size: 49152 File Visible: No Signed: -

Status: -

Name: sscdbhk5.sys

Image Path: C:\WINDOWS\system32\drivers\sscdbhk5.sys

Address: 0xF79EF000 Size: 5568 File Visible: - Signed: -

Status: -

Name: ssrtln.sys

Image Path: C:\WINDOWS\system32\drivers\ssrtln.sys

Address: 0xF78CB000 Size: 23488 File Visible: - Signed: -

Status: -

Name: swenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys

Address: 0xF79F5000 Size: 4352 File Visible: - Signed: -

Status: -

Name: termdd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys

Address: 0xF75D3000 Size: 40704 File Visible: - Signed: -

Status: -

Name: Udfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Udfs.SYS

Address: 0xF714C000 Size: 66048 File Visible: - Signed: -

Status: -

Name: update.sys

Image Path: C:\WINDOWS\system32\DRIVERS\update.sys

Address: 0xF71D2000 Size: 384768 File Visible: - Signed: -

Status: -

Name: USBD.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS

Address: 0xF79F9000 Size: 8192 File Visible: - Signed: -

Status: -

Name: usbehci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys

Address: 0xF787B000 Size: 30208 File Visible: - Signed: -

Status: -

Name: usbhub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Address: 0xF75E3000 Size: 59520 File Visible: - Signed: -

Status: -

Name: USBPORT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Address: 0xF727F000 Size: 147456 File Visible: - Signed: -

Status: -

Name: USBSTOR.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

Address: 0xF7813000 Size: 26368 File Visible: - Signed: -

Status: -

Name: usbuhci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys

Address: 0xF784B000 Size: 20608 File Visible: - Signed: -

Status: -

Name: vga.sys

Image Path: C:\WINDOWS\System32\drivers\vga.sys

Address: 0xF78DB000 Size: 20992 File Visible: - Signed: -

Status: -

Name: VIDEOPRT.SYS

Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS

Address: 0xF7196000 Size: 81920 File Visible: - Signed: -

Status: -

Name: VolSnap.sys

Image Path: VolSnap.sys

Address: 0xF7523000 Size: 52352 File Visible: - Signed: -

Status: -

Name: watchdog.sys

Image Path: C:\WINDOWS\System32\watchdog.sys

Address: 0xF7823000 Size: 20480 File Visible: - Signed: -

Status: -

Name: Win32k

Image Path: \Driver\Win32k

Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -

Status: -

Name: win32k.sys

Image Path: C:\WINDOWS\System32\win32k.sys

Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -

Status: -

Name: win32k.sys:1

Image Path: C:\WINDOWS\win32k.sys:1

Address: 0xF782B000 Size: 20480 File Visible: No Signed: -

Status: -

Name: win32k.sys:2

Image Path: C:\WINDOWS\win32k.sys:2

Address: 0xF70D8000 Size: 61440 File Visible: No Signed: -

Status: -

Name: WMILIB.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS

Address: 0xF79E5000 Size: 8192 File Visible: - Signed: -

Status: -

Name: WMIxWDM

Image Path: \Driver\WMIxWDM

Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -

Status: -

Link to post
Share on other sites

i was finally able to locate and delete some UAC files associated with tr/tdss.waf, tr/tdss.wae, and tr/alureon.cd. i then ran rootrepeal. following is the log.

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/07 13:34

Program Version: Version 1.3.3.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xEE716000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7A19000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB81B9000 Size: 49152 File Visible: No Signed: -

Status: -

Name: win32k.sys:1

Image Path: C:\WINDOWS\win32k.sys:1

Address: 0xF78E3000 Size: 20480 File Visible: No Signed: -

Status: -

Name: win32k.sys:2

Image Path: C:\WINDOWS\win32k.sys:2

Address: 0xEE88F000 Size: 61440 File Visible: No Signed: -

Status: -

Hidden Services

-------------------

Service Name: UACd.sys

Image Path: C:\WINDOWS\system32\drivers\UACyroruyabdw.sys

==EOF==

When I tried to scan for files, rootrepeal would crash every time when it came to $hf_mig$.

Link to post
Share on other sites

  • 4 weeks later...
  • Root Admin

Since you appear to no longer be monitoring this post we will assume that you've already addressed the issue and no logner require assistance and we will close the post now.

If however you do still require assistance please send a private message to open the post again.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.