Results 1 to 6 of 6

Thread: Rootkit Found - Posting 'Log'

  1. #1
    Junior Member
    Join Date
    Apr 2009
    Posts
    5

    Default Rootkit Found - Posting 'Log'

    Hey, i re-installed windows around 3 week ago, and for the past 2 weeks ive been experiencing some strange behaviour. So i started getitng all my AV software again (i dont use much tbh, no firewalls, just SpyBot S&D, CCLeaner.. And when i have a virus or something, i just use google and fix it, and if i come across any new tools while trying to fix it, ill keep them ^^) It's fairly easy not to get virusses tho, ive learnt to avoid them, but i guess i picked up a rootkit from a umm.. reverse game engineering site xD

    Anyway, i didnt know i had a rootkit (now i do), so i installed Spybot, but it wouldnt run, and after a few reinstalls i uninstalled and sent you a reason why (when the uninstaller prompted me to).. This is the first time ive gotten a replay from one of those xD Thanks alot for your efforts.. So after i uninstalled SpyBot, i did everything i could in CCleaner, and a few other tools, nothing stopped the strange behaviour.. Its nothing to big though (atleats i hope not), it just disconnects me from certain games, and gives me errors when trying to debug some of my game projects...

    So anyway after googling, i found a tool called GMER (RootKit Scanner).. And it picked up something straight away, but i insisted on finished the scan.. the scan ran uninterrupted for 2 days but was stopped due to the power cutting out rofl (reallly bad luck i guess xD).. Anyway Ive ran some scanns, i ran a full scan using NOD32, it picked somethng up, but didnt do anything about it lol..

    Then i check my emails and find one from you guys ^^, i was about to just leave it on my PC cause i tried everything appart form a reformat xD..

    ----
    Ok, so RootAlyzer picked up exactly same thing as GMER (not in the Deep scan tho). I really dont want to do the Deep Scan, i mean a few hours would be fine, but if it takes arond the same time as GMER then no thanks... Besides GMER found this rootkit in the first 2 mins of the scan, then apsolutley nothing in the rest of the time. But if you really want me to do a deep scan, i guess i will..

    So ive deleted the rootkit i think, the quick scan came up with it, so i rightclicked the kit at the bottom, and clicked Show Details, then deleted the file, ifi was worng to do so.. i guss ill try getting the rootkit again xD But anyway i tried to run Spybot again, but it still wouldnt, im guessing i have to restart my system.. so ill do that after this post and see if it helps (would be kind of pointless, i know, but if the rootit is still there or theres more rootkits(dont think there is but iunno) then this post wouldnt have been a waste of time^^ and so ill just edit it and say at the top if its solved..

    The rootkit being picked up is:

    Service C:\WINDOWS\system32\drivers\gaopdxbobvphwcmevdlvbbaewkpbitttyqjvby.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

    (Thas wgat GMER detected, ive apparently deleted it in RootAlyzer, and its not picking it up again in RootAlyzer's Quick Scan. RrootAlyzer also picked up:

    C:\WINDOWS\system32\drivers\gaopdxcounter (something like that, its form memory since i closed RootAlyzer, but i deleted this file aswell)

    I run GMER, and it does a quick scan on startup also, but it's picking up the rootkit still (after i deleted with RooAlyzer.)

    So ill restart my PC now, and hopefully the rootkit wont be able to start, and so GMER wont pick it up, but if you think i should remove the rest of it (if theres more files, or i should do a deepscan anyway, plz say).

  2. #2
    Junior Member
    Join Date
    Apr 2009
    Posts
    5

    Default

    Ok, so its not gone -.- lol..

    And the QuickScan in RootAlyzer is pickin it up again: (LOG from Quickscan)

    // info: Rootkit removal help file
    // copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

    :: RootAlyzer Results
    File:"Hidden file","C:\WINDOWS\system32\gaopdxcounter"
    File:"Hidden file","C:\WINDOWS\system32\gaopdxpdmixmtxowflngqajxdqhnsaokavoedw.dll"

    So i think im gonna start a deep scan, unless thats all you need? Well ill start a deep scan anyway, and keep checking here, if the provided info is all you need then tell me and ill just stop the scan (if its not completed).

    Starting scan now. (BTW sorry for the lengthy posts XD, dont want to miss anything thought, might help)
    Last edited by FireSign; 2009-04-19 at 00:39.

  3. #3
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Default

    Hi FireSign,

    to Safer Networking Forums.

    Well, I'm not sure that youre attitude according to security tools is good... An advice: install a software firewall and and AntiVirus tool with real-time protection. I can give you some recommendations if you need them.

    If you can't get rid of Malware, there's always the possibility to do that.
    Best regards - Beste Grüße,

    Matt

  4. #4
    Junior Member
    Join Date
    Apr 2009
    Posts
    5

    Default

    Well ive got NOD32 now, and ParetoLogic AntiSpyware, but dont use their realtime protection xD. I should get ZoneAlarm again, that was gd, made my startups pretty laggy.

    Thanks for the info, ill get a RootAlyzer log file ready, and a HiJackThis log also, then ill make another post in the malaware removal section ^^

    Thanks for the help.

  5. #5
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Default

    Hi FireSign,

    Thank you for this update.

    You're welcome.
    Best regards - Beste Grüße,

    Matt

  6. #6
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    FireSign's malware forum topic: http://forums.spybot.info/showthread.php?p=305952
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •