Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Infected with several rootkits

  1. #11
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default

    Yes a lot of lag when i type, Chrome crashing a lot, lag when editing my pictures etc etc...

  2. #12
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    That was fast. Looks like you have Defender, Ad-aware, Emisoft and Spybot. Iam not sure if all these have real time protection features. If they do it means they are running in the background, most likely you would see there icon down by the clock. If thats the case, having 4 running is to much. They will chew up systems resources. Its also not necessary because they often over lap in what they provide.
    You can check them for the option not to start with Windows. One along with your AV is plenty. You could use the others for on demand scanning.
    How Can I Reduce My Risk?

  3. #13
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default

    Hmm, defender i am pretty sure i disabled it unless it was enabled somehow, ad-aware i uninstalled it long time ago, perhaps there are remains of the application in the registry. Spyboy i only installed it cos you asked me to, otherwise i would only be running Emisoft But still i get the same symptoms without these applications, i am pretty sure i am infected with something, probably deep within

  4. #14
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    Your right those are registry entries, I was working from memory. Those tools you have run are for detecting and removing rootkits which are as you say " deep within" the OS. We can get one more to run:

    Please download aswmbr.exe to your desktop.

    Nevermind, you've run that already. Log looks ok. Are you getting web page redirection?
    Last edited by shelf life; 2012-11-22 at 04:48.
    How Can I Reduce My Risk?

  5. #15
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default

    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2012-11-12 04:50:29
    -----------------------------
    04:50:29.311 OS Version: Windows 6.0.6002 Service Pack 2
    04:50:29.311 Number of processors: 4 586 0xF0B
    04:50:29.312 ComputerName: ROMSTER2 UserName: R0M
    04:50:30.993 Initialize success
    04:50:55.166 AVAST engine defs: 12111101
    04:51:00.456 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    04:51:00.457 Disk 0 Vendor: SAMSUNG_HD502IJ 1AA01113 Size: 476940MB BusType: 3
    04:51:00.460 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-2
    04:51:00.462 Disk 1 Vendor: ST31000340AS SD1A Size: 953869MB BusType: 3
    04:51:00.464 Disk 2 \Device\Harddisk2\DR2 -> \Device\0000007a
    04:51:00.467 Disk 2 Vendor: Size: 953869MB BusType: 0
    04:51:00.469 Disk 3 \Device\Harddisk3\DR3 -> \Device\0000007b
    04:51:00.472 Disk 3 Vendor: Size: 953869MB BusType: 0
    04:51:00.475 Disk 4 \Device\Harddisk4\DR4 -> \Device\0000007c
    04:51:00.478 Disk 4 Vendor: Size: 953869MB BusType: 0
    04:51:00.481 Disk 5 \Device\Harddisk5\DR5 -> \Device\0000007d
    04:51:00.484 Disk 5 Vendor: Size: 953869MB BusType: 0
    04:51:00.488 Disk 6 \Device\Harddisk6\DR6 -> \Device\00000085
    04:51:00.493 Disk 6 Vendor: Size: 953869MB BusType: 0
    04:51:00.514 Disk 0 MBR read successfully
    04:51:00.518 Disk 0 MBR scan
    04:51:00.524 Disk 0 Windows VISTA default MBR code
    04:51:00.529 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
    04:51:00.538 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15360 MB offset 129024
    04:51:00.553 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 461516 MB offset 31586304
    04:51:00.571 Disk 0 scanning sectors +976771072
    04:51:00.695 Disk 0 scanning C:\Windows\system32\drivers
    04:51:11.830 Service scanning
    04:51:33.878 Modules scanning
    04:51:42.230 Disk 0 trace - called modules:
    04:51:42.286 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys
    04:51:42.290 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x860a54c0]
    04:51:42.294 3 CLASSPNP.SYS[8ada48b3] -> nt!IofCallDriver -> [0x8522c538]
    04:51:42.299 5 acpi.sys[830956bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84ff0b98]
    04:51:43.779 AVAST engine scan C:\Windows
    04:51:52.920 AVAST engine scan C:\Windows\system32
    04:54:22.138 AVAST engine scan C:\Windows\system32\drivers
    04:54:33.384 AVAST engine scan C:\Users\R0M
    06:19:08.902 AVAST engine scan C:\ProgramData
    06:21:16.968 Scan finished successfully
    12:35:53.441 Disk 0 MBR has been saved successfully to "C:\Users\R0M\Desktop\MBR.dat"
    12:35:53.508 The log file has been saved successfully to "C:\Users\R0M\Desktop\aswMBR.txt"


    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2012-11-21 21:24:43
    -----------------------------
    21:24:43.169 OS Version: Windows 6.0.6002 Service Pack 2
    21:24:43.169 Number of processors: 4 586 0xF0B
    21:24:43.171 ComputerName: ROMSTER2 UserName: R0M
    21:25:49.823 Initialize success
    22:06:20.818 AVAST engine defs: 12112101
    22:07:54.646 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    22:07:54.648 Disk 0 Vendor: SAMSUNG_HD502IJ 1AA01113 Size: 476940MB BusType: 3
    22:07:54.651 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-2
    22:07:54.653 Disk 1 Vendor: ST31000340AS SD1A Size: 953869MB BusType: 3
    22:07:54.656 Disk 2 \Device\Harddisk2\DR2 -> \Device\0000007c
    22:07:54.658 Disk 2 Vendor: Size: 953869MB BusType: 0
    22:07:54.660 Disk 3 \Device\Harddisk3\DR3 -> \Device\0000007d
    22:07:54.663 Disk 3 Vendor: Size: 953869MB BusType: 0
    22:07:54.667 Disk 4 \Device\Harddisk4\DR4 -> \Device\0000007e
    22:07:54.670 Disk 4 Vendor: Size: 953869MB BusType: 0
    22:07:54.673 Disk 5 \Device\Harddisk5\DR5 -> \Device\0000007f
    22:07:54.676 Disk 5 Vendor: Size: 953869MB BusType: 0
    22:07:54.680 Disk 6 \Device\Harddisk6\DR6 -> \Device\00000085
    22:07:54.685 Disk 6 Vendor: Size: 953869MB BusType: 0
    22:07:54.697 Disk 0 MBR read successfully
    22:07:54.702 Disk 0 MBR scan
    22:07:54.779 Disk 0 Windows VISTA default MBR code
    22:07:54.784 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
    22:07:54.804 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15360 MB offset 129024
    22:07:54.818 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 461516 MB offset 31586304
    22:07:54.826 Disk 0 scanning sectors +976771072
    22:07:54.901 Disk 0 scanning C:\Windows\system32\drivers
    22:08:05.150 Service scanning
    22:08:28.750 Modules scanning
    22:08:33.491 Disk 0 trace - called modules:
    22:08:33.549 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys
    22:08:33.554 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x860a8770]
    22:08:33.558 3 CLASSPNP.SYS[8ada58b3] -> nt!IofCallDriver -> [0x85e67220]
    22:08:33.563 5 acpi.sys[8309e6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85dcd820]
    22:08:35.518 AVAST engine scan C:\Windows
    22:08:41.953 AVAST engine scan C:\Windows\system32
    22:11:58.077 AVAST engine scan C:\Windows\system32\drivers
    22:12:09.505 AVAST engine scan C:\Users\R0M
    23:52:50.137 AVAST engine scan C:\ProgramData
    23:55:38.871 Scan finished successfully
    03:54:34.129 Disk 0 MBR has been saved successfully to "C:\Users\R0M\Desktop\MBR.dat"
    03:54:34.894 The log file has been saved successfully to "C:\Users\R0M\Desktop\aswMBR.txt"

  6. #16
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default

    Very rarely i get redirection, why?

  7. #17
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default

    I am more concerned about the hidden directories found in my c:\windows\system32 how come we don't get rid of them?

  8. #18
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi oyehia,

    Redirection could be a sign of a rootkit. Really it would like your browser had a mind of its own ending up at sites you had no intention of going to.

    Those files found by rootalyzer, I cant say what the significance is or if they are actual files. Iam not familiar with rootalyzer or its findings. If they had identifiable extensions like .dll or .sys then they most likely would have shown up in the other tools you ran.
    How Can I Reduce My Risk?

  9. #19
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default

    So what is the next step, and who can help with the rootanalyzer program it seems we are going in a circle here...

  10. #20
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    There is a forum here for rootalyzer help.
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •