PDA

View Full Version : Rootkit Found - Posting 'Log'



FireSign
2009-04-19, 00:28
Hey, i re-installed windows around 3 week ago, and for the past 2 weeks ive been experiencing some strange behaviour. So i started getitng all my AV software again (i dont use much tbh, no firewalls, just SpyBot S&D, CCLeaner.. And when i have a virus or something, i just use google and fix it, and if i come across any new tools while trying to fix it, ill keep them ^^) It's fairly easy not to get virusses tho, ive learnt to avoid them, but i guess i picked up a rootkit from a umm.. reverse game engineering site xD

Anyway, i didnt know i had a rootkit (now i do), so i installed Spybot, but it wouldnt run, and after a few reinstalls i uninstalled and sent you a reason why (when the uninstaller prompted me to).. This is the first time ive gotten a replay from one of those xD Thanks alot for your efforts.. So after i uninstalled SpyBot, i did everything i could in CCleaner, and a few other tools, nothing stopped the strange behaviour.. Its nothing to big though (atleats i hope not), it just disconnects me from certain games, and gives me errors when trying to debug some of my game projects...

So anyway after googling, i found a tool called GMER (RootKit Scanner).. And it picked up something straight away, but i insisted on finished the scan.. the scan ran uninterrupted for 2 days but was stopped due to the power cutting out rofl (reallly bad luck i guess xD).. Anyway Ive ran some scanns, i ran a full scan using NOD32, it picked somethng up, but didnt do anything about it lol..

Then i check my emails and find one from you guys ^^, i was about to just leave it on my PC cause i tried everything appart form a reformat xD..

----
Ok, so RootAlyzer picked up exactly same thing as GMER (not in the Deep scan tho). I really dont want to do the Deep Scan, i mean a few hours would be fine, but if it takes arond the same time as GMER then no thanks... Besides GMER found this rootkit in the first 2 mins of the scan, then apsolutley nothing in the rest of the time. But if you really want me to do a deep scan, i guess i will..

So ive deleted the rootkit i think, the quick scan came up with it, so i rightclicked the kit at the bottom, and clicked Show Details, then deleted the file, ifi was worng to do so.. i guss ill try getting the rootkit again xD But anyway i tried to run Spybot again, but it still wouldnt, im guessing i have to restart my system.. so ill do that after this post and see if it helps (would be kind of pointless, i know, but if the rootit is still there or theres more rootkits(dont think there is but iunno) then this post wouldnt have been a waste of time^^ and so ill just edit it and say at the top if its solved..

The rootkit being picked up is:

Service C:\WINDOWS\system32\drivers\gaopdxbobvphwcmevdlvbbaewkpbitttyqjvby.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

(Thas wgat GMER detected, ive apparently deleted it in RootAlyzer, and its not picking it up again in RootAlyzer's Quick Scan. RrootAlyzer also picked up:

C:\WINDOWS\system32\drivers\gaopdxcounter (something like that, its form memory since i closed RootAlyzer, but i deleted this file aswell)

I run GMER, and it does a quick scan on startup also, but it's picking up the rootkit still (after i deleted with RooAlyzer.)

So ill restart my PC now, and hopefully the rootkit wont be able to start, and so GMER wont pick it up, but if you think i should remove the rest of it (if theres more files, or i should do a deepscan anyway, plz say).

FireSign
2009-04-19, 00:38
Ok, so its not gone -.- lol..

And the QuickScan in RootAlyzer is pickin it up again: (LOG from Quickscan)

// info: Rootkit removal help file
// copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Hidden file","C:\WINDOWS\system32\gaopdxcounter"
File:"Hidden file","C:\WINDOWS\system32\gaopdxpdmixmtxowflngqajxdqhnsaokavoedw.dll"

So i think im gonna start a deep scan, unless thats all you need? Well ill start a deep scan anyway, and keep checking here, if the provided info is all you need then tell me and ill just stop the scan (if its not completed).

Starting scan now. (BTW sorry for the lengthy posts XD, dont want to miss anything thought, might help)

Matt
2009-04-19, 00:50
Hi FireSign,

:welcome: to Safer Networking Forums. :)

Well, I'm not sure that youre attitude according to security tools is good... :rolleyes: An advice: install a software firewall and and AntiVirus tool with real-time protection. I can give you some recommendations if you need them.

If you can't get rid of Malware, there's always the possibility to do that (http://forums.spybot.info/showpost.php?p=304562&postcount=2).

FireSign
2009-04-19, 01:13
Well ive got NOD32 now, and ParetoLogic AntiSpyware, but dont use their realtime protection xD. I should get ZoneAlarm again, that was gd, made my startups pretty laggy.

Thanks for the info, ill get a RootAlyzer log file ready, and a HiJackThis log also, then ill make another post in the malaware removal section ^^

Thanks for the help.

Matt
2009-04-19, 01:44
Hi FireSign,

Thank you for this update.

You're welcome. ;)

tashi
2009-04-19, 09:43
FireSign's malware forum topic: http://forums.spybot.info/showthread.php?p=305952