sllydell Posted January 23, 2010 ID:187824 Share Posted January 23, 2010 I can't seem to get rootkit off my machine. Here are the logs from anti-malware and GMERGMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-01-22 20:48:30Windows 5.1.2600 Service Pack 2Running: wv447288.exe; Driver: C:\DOCUME~1\bbuckey\LOCALS~1\Temp\pwlyiaog.sys---- System - GMER 1.0.15 ----INT 0x01 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F6FEE59AINT 0x03 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F6FEE655Code 8465D920 ZwEnumerateKeyCode 84644E68 ZwFlushInstructionCacheCode 8461DADE IofCallDriverCode 846719EE IofCompleteRequest---- Devices - GMER 1.0.15 ----AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)---- Modules - GMER 1.0.15 ----Module \systemroot\system32\drivers\H8SRTmhgtelcfig.sys (*** hidden *** ) ED666000-ED683000 (118784 bytes) ---- Services - GMER 1.0.15 ----Service C:\WINDOWS\system32\drivers\H8SRTmhgtelcfig.sys (*** hidden *** ) [sYSTEM] H8SRTd.sys <-- ROOTKIT !!!---- Registry - GMER 1.0.15 ----Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTmhgtelcfig.sysReg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file systemReg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTmhgtelcfig.sysReg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTexclnrrvbj.dllReg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTkbyktmyoly.datReg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTinyrsdqtyv.dllReg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTeacmiocqrl.dllReg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTdbswaajuse.dllReg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTmhgtelcfig.sysReg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file systemReg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTmhgtelcfig.sysReg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTexclnrrvbj.dllReg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTkbyktmyoly.datReg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTinyrsdqtyv.dllReg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTeacmiocqrl.dllReg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTdbswaajuse.dll---- Files - GMER 1.0.15 ----File C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll 646 bytesFile C:\Documents and Settings\bbuckey\Local Settings\Temp\h8srtmainqt.dll 0 bytesFile C:\Documents and Settings\bbuckey\Local Settings\Temp\MPSampleSubmit\h8srteacmiocqrl.dll.xor 16896 bytesFile C:\Documents and Settings\bbuckey\Local Settings\Temp\MPSampleSubmit\h8srteacmiocqrl_1.dll.xor 16896 bytesFile C:\Documents and Settings\bbuckey\Local Settings\Temp\H8SRTcfc0.tmp 343040 bytes executableFile C:\WINDOWS\system32\drivers\H8SRTmhgtelcfig.sys 40960 bytes executable <-- ROOTKIT !!!File C:\WINDOWS\system32\H8SRTdbswaajuse.dll 40960 bytes executableFile C:\WINDOWS\system32\H8SRTeacmiocqrl.dll 16896 bytes executableFile C:\WINDOWS\system32\H8SRTexclnrrvbj.dll 23552 bytes executableFile C:\WINDOWS\system32\H8SRTinyrsdqtyv.dll 27136 bytes executableFile C:\WINDOWS\system32\H8SRTkbyktmyoly.dat 251 bytesFile C:\WINDOWS\system32\h8srtkrl32mainweq.dll 765 bytesFile C:\WINDOWS\system32\h8srtshsyst.dll 1048 bytes---- EOF - GMER 1.0.15 ----Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:\\?\globalroot\systemroot\system32\H8SRTeacmiocqrl.dll (Rootkit.TDSS.Gen) -> Delete on reboot.Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:\\?\globalroot\systemroot\system32\H8SRTeacmiocqrl.dll (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
Staff screen317 Posted January 23, 2010 Staff ID:187984 Share Posted January 23, 2010 Hi and welcome to Malwarebytes.Please update MBAM, run a Quick Scan, then post its log.Next, download DDS by sUBs and save it to your Desktop.Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized. Link to post Share on other sites More sharing options...
sllydell Posted January 23, 2010 Author ID:188100 Share Posted January 23, 2010 When i try to run DDS it just opens and closes and doesn't produce any output. I made sure it was unblocked by right clicking on it and selecting unblock but that didn't see to do the trick. any suggestions? Link to post Share on other sites More sharing options...
Staff screen317 Posted January 23, 2010 Staff ID:188200 Share Posted January 23, 2010 Skip that for now. Post the log from MBAM.Next, download RSIT by random/random and save it to your Desktop.Double click RSIT.exe to start the tool and click Continue at the disclaimer.When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.Please post the contents of both logs here in your next reply. Link to post Share on other sites More sharing options...
Staff screen317 Posted February 3, 2010 Staff ID:193764 Share Posted February 3, 2010 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts