recaro
2009-09-18, 03:43
Background: Downloaded .exe which then appeared as a virus on Avira (still know where the link is if necessary). Immediately realized i didn't have spybot on this new computer yet. Downloaded and installed. Acquired updates and immunized. When running scan the program shuts down/disappears.
When trying to uninstall/reinstall spybot it allows it but i cannot delete the original folder as the rootkit has taken my some of my admin privileges away.
Programs tried (in this order):
Spybot
HJT
housecall
Followed these instructions:
http://www.safer-networking.org/en/faq/67.html
-ran the rootalyzer, sent .cab file,
ran Combofix (which now i think was wrong?)
when rebooted explorer would not run and the only objects i could see were my now inactive and blank desktop with my network magic interface on top (only open program). i did a windows restore to earlier that day before i ran the combofix.
is this fixable or would reformatting be a better option? being that it is a new computer i only have a small amount of files to transfer (but would they still be infected?).
i realize that i should have came here immediately but HJT didn't seem to work anyways.
help please.
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/17 19:43
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================
Drivers
-------------------
Name: dump_iaStorV.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStorV.sys
Address: 0x82F0C000 Size: 659456 File Visible: No Signed: -
Status: -
Name: RKREVEAL150.SYS
Image Path: C:\Windows\system32\Drivers\RKREVEAL150.SYS
Address: 0xA6818000 Size: 4128 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA681A000 Size: 49152 File Visible: No Signed: -
Status: -
Name: win32k.sys:1
Image Path: C:\Windows\win32k.sys:1
Address: 0x8CBD8000 Size: 20480 File Visible: No Signed: -
Status: -
Name: win32k.sys:2
Image Path: C:\Windows\win32k.sys:2
Address: 0x8CBDD000 Size: 61440 File Visible: No Signed: -
Status: -
Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!
Path: C:\Windows\System32\audiodg.exe
PID: 1260 Status: Locked to the Windows API!
SSDT
-------------------
#: 078 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x88e769ec
#: 194 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x88e769d8
#: 201 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x88e769dd
#: 334 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x88e769e7
==EOF==
ttt~~~~
When trying to uninstall/reinstall spybot it allows it but i cannot delete the original folder as the rootkit has taken my some of my admin privileges away.
Programs tried (in this order):
Spybot
HJT
housecall
Followed these instructions:
http://www.safer-networking.org/en/faq/67.html
-ran the rootalyzer, sent .cab file,
ran Combofix (which now i think was wrong?)
when rebooted explorer would not run and the only objects i could see were my now inactive and blank desktop with my network magic interface on top (only open program). i did a windows restore to earlier that day before i ran the combofix.
is this fixable or would reformatting be a better option? being that it is a new computer i only have a small amount of files to transfer (but would they still be infected?).
i realize that i should have came here immediately but HJT didn't seem to work anyways.
help please.
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/17 19:43
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================
Drivers
-------------------
Name: dump_iaStorV.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStorV.sys
Address: 0x82F0C000 Size: 659456 File Visible: No Signed: -
Status: -
Name: RKREVEAL150.SYS
Image Path: C:\Windows\system32\Drivers\RKREVEAL150.SYS
Address: 0xA6818000 Size: 4128 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA681A000 Size: 49152 File Visible: No Signed: -
Status: -
Name: win32k.sys:1
Image Path: C:\Windows\win32k.sys:1
Address: 0x8CBD8000 Size: 20480 File Visible: No Signed: -
Status: -
Name: win32k.sys:2
Image Path: C:\Windows\win32k.sys:2
Address: 0x8CBDD000 Size: 61440 File Visible: No Signed: -
Status: -
Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!
Path: C:\Windows\System32\audiodg.exe
PID: 1260 Status: Locked to the Windows API!
SSDT
-------------------
#: 078 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x88e769ec
#: 194 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x88e769d8
#: 201 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x88e769dd
#: 334 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x88e769e7
==EOF==
ttt~~~~