Over 1 million tech questions and answers.

GMER detects rootkit modifications

Q: GMER detects rootkit modifications

Hi all,
 
After running GMER, I am being notified that there are "rootkit modifications" detected. I'm very concerned, and I'd be grateful if someone could help me out in disinfecting my computer. I can attach or copy&paste logs if required.
 
TDSSKiller and MalwareBytes have not detected anything, but it seems that GMER and RogueKiller do.
 
I am very new to malware detection and removal, so I apologise for any incompetencies.
 
Thank you.
 
Edit: I think I posted this topic in the wrong forum, and that it should have been in the Virus and Malweare Removal forum.
 
Moderator Edit: Moved from Windows 8 to a more appropriate forum.
Roger

RELEVANCY SCORE 200
Preferred Solution: GMER detects rootkit modifications

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

A: GMER detects rootkit modifications

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/530827 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.Please do this even if you have previously posted logs for us.If you were unable to produce the logs originally please try once more.If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.If you are unsure about any of these characteristics just post what you can and we will guide you.Please tell us if you have your original Windows CD/DVD available. Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.
Thank you for your patience, and again sorry for the delay.
***************************************************
We need to see some information about what is happening in your machine. Please perform the following scan again: Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.DDS.com Download LinkDouble click on the DDS icon, allow it to run. A small box will open, with an explanation about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that pop up for posting the results. Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control can be found HERE.As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

Read other 2 answers
RELEVANCY SCORE 94.4

[I cannot write or attach anything substantial - I keep getting 'the connection to the server was reset' after copying and pasting the HJT, dds, and GMER files.]

How do I post...?
 

Read other answers
RELEVANCY SCORE 83.2

Hi,

I ran GMER and I received a warning message that there were system modifications caused by possible rootkit activity. GMER also shows a hidden library, but does not report a rootkit and does not give me the option of deleting the library. Please help. Is my computer infected? My GMER and DDS log files are attached below. Thanks!

A:Possible rootkit - GMER detects hidden library

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/462375 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 3 answers
RELEVANCY SCORE 64
A:It says Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

Hello my name is Sempai and welcome to Bleeping Computer.*We apologize for the delay. Forum have been busy.*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.*You must reply within 5 days otherwise this topic will be closed.1. We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE2. We Need to check for Rootkits with RootRepealDownload RootRepeal from the following ... Read more

Read other 21 answers
RELEVANCY SCORE 58.8

Less than a month ago, I had these problems resolved:http://www.bleepingcomputer.com/forums/topic387528.htmlThen about a week ago, I began to see message balloons popping up from the window bar about "Windows - Corrupt File. The file or directory \Program Files\MOZILL~1 is corrupt and unreadable, please run Chkdsk utility." Various file names appear, included Taskmgr and several others. Whenever I try to open a new browser window, Windows tries to begin an installation process using the standard windows installer message, which I abort. At least one time it tried to install Adobe Acrobat 7.1.0 Standard. After trying to install on its own, I received this message: "Adobe Acrobat 7.1.0 Standard: Error 1304. Error writing to program file C:\Program Files\Adobe\Acrobat 7.0\Distillr\ace.dll. Verify that you have access to that directory." I haven't closed out of that dialogue yet because it seems to be preventing other installation routines from starting.This whole portion of the episode may have been the result of trying to output a PDF file from within Pagemaker 7 - which I haven't used in a year - and it failed to output.). Also began to receive the Windows - Corrupt File messages as independent pop-up windows - mostly involving files in the Mozilla directory. Here is the GMER log file:Next, I received several InstallShield messages, including this one that I did not initiate:Sonic Update ManagerError writing to fi... Read more

A:GMER detects root kit - file or directory corrupt or unreadable messages were the tipoff

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Please take note:If you have since resolved the original problem you were having, we would appreciate you letting us know. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these characteristics just post what you can and we will guide you.Please tell us if you have your original Windows CD/DVD available.If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply'... Read more

Read other 17 answers
RELEVANCY SCORE 54.8

Hi.
So after running FRST two days ago, I found a lot of odd duplicates of legitimate files with this string added in front: {ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0.
 
Basically, it looks something like this: 
HKU\S-1-5-21-403728013-4087379911-1177270023-1008\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank (legitimate)
HKU\S-1-5-21-403728013-4087379911-1177270023-1008-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank (duplicate)
 
Some other duplicates involve sandoxie, ccleaner and chrome processes. Removing them with FRST only results in them coming back the next day. I've ran just about everything: RKill, TDSSKiller, MBAM, Avira, Adwcleaner and JRT which results in no infections. But these weren't here before the night of Friday in which I accidentally accessed a non-reputable site so I'm inclined to think they're malicious.
 
I'm using Windows XP.

A:Possible rootkit/adware, but nothing detects it

Update: I recently discovered two dllhost.exe processes running, and while that doesn't necessarily mean anything, normally there is only one process running. I can't recall the last time I've seen two.

Read other 8 answers
RELEVANCY SCORE 54.8

Good evening,

AVG 2011, detects rootkit infection but can not remove it, how can I remove the rootkit infection?

Thank you.

Lurdez

A:AVG detects Rootkit but can not remove it

Please go here....Preparation Guide ,do steps 6 - 9.Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.If Gmer won't run,skip it and move on.Let me know if that went well.

Read other 3 answers
RELEVANCY SCORE 54.8

Hello BC, This is a Dell Inspiron E1505 with WinXP sp3. It was previously cleaned thanks to (BC's) Myrti's help, after infection when I clicked on an evil nacha.org email and phoney "failed ACH transfer" message about 6 months ago. That thread is here. The computer was apparently clean after combofix'd. However, since this infection earlier this year, I've not trusted this machine for contacting my financial institutions. But, it's getting increasingly inconvenient to instead use separate Win7 machine for that purpose and I'd love to go back to this WinXP machine as my main computer, including for talking to my trading accounts. I don't have any specific symptom that told me this WinXP computer was in trouble... but just to feel better, I just ran RKU (still on my desktop from downloading earlier with Myrti) according to the instructions from Myrti earlier. The report ends with several "unknown threads" and the warning "possible rootkit activity!" So, I hope I can get some handholding in sorting this out. Here's the RKU report...RkU Version: 3.8.388.590, Type LE (SR2)==============================================OS Name: Windows XPVersion 5.1.2600 (Service Pack 3)Number of processors #2==============================================>Drivers==============================================0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)0x80... Read more

A:RKU detects possible rootkit activity

Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. Please take note: If you have since resolved the original problem you were having, we would appreciate you letting us know. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these characteristics just post what you can and we will guide you.Please tell us if you have your original Windows CD/DVD available. If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far. Upon completing the steps below another staff member will review your topic an do their best to resolve your issues. If you have already posted a DDS log, please do so again, as your situation may have changed. Use the '... Read more

Read other 21 answers
RELEVANCY SCORE 54

I'm so so so desperate. I can't get rid of the rootkit virus that has taken over my computer. I don't know what to do. I feel so helpless and I need to salvage this computer so badly. I can't even finish running combofix because everytime it asks me to restart, when it finally does it is as if nothing happens. My computer is so slow and all my searches on the internet gets so messed up. I really need someone's help on this. Please!!! Someone out there help me.

A:ComboFix detects Rootkit Zero Access

what is your operating system?

Read other 28 answers
RELEVANCY SCORE 54

So in the past two days my computer has been slow and freezes occasionally. I decided to run AVG and it has found 9 threats labeled IRP hook that wont delete on its own and I'm too afraid to manually remove ( Did virus scan last week and did not find anything). I also can not use system restore or roll back or start safemode for some odd reason. Additionally I ran malware bytes which found some PUP which I deleted and seemingly sped up my computer but AVG still detects the IRP HOOK. I believe I'm am infected. Please help.
 
Systems Specs
 
Windows 7
Intel processor i3 2.10 gHz CPU
64 Bit OS
4 Gb RAM

A:Am I infected? AVG detects IRP HOOK rootkit

With a rootkit it is best to repost your topic...Please follow this Preparation Guide and post in a new topic.Let me know if all went well.

Read other 3 answers
RELEVANCY SCORE 54

The temp file is detected as being infected with Hacktool.Rootkit and deleted at reboot and each time I open Windows Explorer. The infected file is always located in the temp folder in the user profile and it's always named with some variation of "rld1.tmp".I've followed all the instructions on the "Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer" page and it seems to have helped, but I still get the occational detection as described above. Here's my HJK log. You guys are the best!!! You saved my butt a few years ago on another computer with a virus/malware issue that I couldn't resolve on my own.TYVM!!! - KmanLogfile of Trend Micro HijackThis v2.0.2Scan saved at 12:04:34 AM, on 10/10/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.ex... Read more

A:Norton detects Hacktool.Rootkit

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part... Read more

Read other 15 answers
RELEVANCY SCORE 54

Hi guys, I have a problem, combo fix detects in my pc rootkit activity, after rebooting nothing, i have to reboot the pc, then he start to do his job, then after a scanning the rootkit activity is still there according combo fix, then repeating the progress again and again, I scanned my pc with gmer, nothing suspicious , I scanned with malware bytes also nothing suspicious, I checked my mbr wioth mbr.exe nothing everything ok, I don't know anymore, here is some info what gmer is telling me.GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-11-08 14:26:01
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Botak\LOCALS~1\Temp\pxtdrpow.sys
---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB4A50534]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB4A4A782]
SSDT BA6B9166 ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB4A50CC0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProces... Read more

A:combofix detects rootkit activity, but?

Please note the message text in blue at the top of the Am I infected? What do I do? forum.orPlease note the message text in blue at the top of this forum. No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read the pinned topic ComboFix usage, Questions, Help? - Look here. With that said, if you receive a message that "Combofix has detected the presence of rootkit activity and needs to reboot", you should have been instructed to write down the list of any files present in the message before continuing, and then to provide that information to the Helper who instructed you to run the tool.If you ran ComboFix on your own due to malware infection, please be aware that using ComboFix is only one part of the disinfection process. Therefore we ask that you please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. If you do not have a malware infection, then you should not be running tools like ComboFix or GMER ju... Read more

Read other 1 answers
RELEVANCY SCORE 53.6

Good day Malware Fighting Dudes.Picked up a nasty and ran malwarebytes. 8 Files detected but only 7 removed.I'm first question: I'm going to be away from my desk for 2 weeks starting Sunday so was wondering if it was worth starting a support session with you kind folks today or better off waiting to when I returnCheersNigelUPDATE: GMER runs for about 30 seconds, listing processes and so on, then my PC crashes to BSOD (ouch)UPDATE: DDS and Attach attached

A:rootkit.bubnix - malwarebytes detects but does not remove

Good evening. Threads are normally locked after five days of inactivity, so I suggest waiting to deal with any nasties your PC has until you get back from your jollies.

Read other 1 answers
RELEVANCY SCORE 53.6

Hello, on scanning my computer with avg rootkit latest version, it detects a hidden driver file with a seemingly random name in c system 32 drivers folder. I force avg to fix it and to finish the fix it needs to reboot, but the next time I boot and run avg rootkit it immediately detects another hidden driver in the same location with a different name. eg - a4j01ztw.sys, a8bs781d.sys etc. I haven't noticed anything going wrong with my computer but i'm a bit worried in case i'm being keylogged or something. Also a couple of days ago avg virus scan told me my mbr had been modified, but this hasn't affected the operation of the computer so far. The latter change may have occurred when I allowed a registry change while installing a game. I had all my virus/spybot/firewall turned off at the time in case it intefered with the installation.

i would be grateful for any help or information.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:31:57, on 25/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\... Read more

Read other answers
RELEVANCY SCORE 53.6

I'm new to Roguekiller But found something on it that makes me nervous, I hope I'm in the right place for this. Here's the Report it found... I might be overreacting.          RogueKiller V10.0.2.0 (x64) [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Stephen [Administrator]
Mode : Scan -- Date : 10/17/2014  11:55:26
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 0 ¤¤¤
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
 
¤¤¤ Antirootkit : 33 (Driver: Loaded) ¤¤¤
[IAT:Addr] (explorer.exe @ POWRPROF.dll) SETUPAPI.dll - CM_Get_DevNode_Status : C:\Windows\system32\CFGMGR32.dll @ 0x7fefd5130c0
[IAT:Addr] (explorer.exe @ POWRPROF.dll) SETUPAPI.dll - CM_Get_Device_IDW : C:\Windows\system32\CFGMGR32.dll @ 0x7fefd514034
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x7fefcb115e0
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-... Read more

A:RogueKiller Detects PUP Rootkit Viruses. Need Confirmation.

I might better add some info in case it might help, I've ran MalwareBytes Anti Malware & Anti Rootkit full scan, AdwCleaner, & Kaspersky TDSSKiller, All have reported no viruses, I've ran them in safe mode too, because I've heard that some viruses can only be removed in safe mode. Though if you ask me for the log I may have to scan again just to get it.

Read other 30 answers
RELEVANCY SCORE 53.6

Hello,

for the past tyo days, i have been getting notification from Avira about TR/rootkit.gen and TR/Dldr.FaudLo.sxm
also, task manager shows that braviax.exe is running. So far, the obvious symptoms are a red X next to the clock and spontaneous shutting down of windows.

please find here attached the DDSLog and DDS Attach,

also, I included the HJT log

Thanks for the help

DDS (Ver_09-07-30.01) - NTFSx86
Run by MASTER at 16:29:12,25 on 16/08/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP ?dition familiale 5.1.2600.3.1252.33.1036.18.1013.604 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
... Read more

A:Avira detects TR/rootkit.gen and TR/Dldr.FaudLo.sxm

Hello again,

I have been researching this issue for the past couple days and have relied greatly on information from others posts in the forum. I have ran MBAM a couple times, cleaned up some junk and tried to gain general understanding of these malware issues.

I have noticed that I have no alerts from Avira when I am offline. I have not reconnected and will not do so until you say so... As it stands right now (offline) there seems to be no infection. However, I am positive that when I reconnect, the alerts will come back.

In the past couple days (since my first post), I have ran:

MBAM (see reports)
Autoruns (could not attach file)
F-Secure Blacklight (found nothing)
GMER (found nothing suspicious)
RootRepeal (see file)

I would like to include the following, to give you the latest and most accurate information:

1) updated DDSlog and DDSattach (dated in the filename for august 19)

2) MBAM logs, including today's that shows no infection

3) Rootrepealreport

4) Latest HJTlog, dated today 19/08

I will not make any changes until I here from you.
Thanks!!
DDSlog:

DDS (Ver_09-07-30.01) - NTFSx86
Run by MASTER at 12:10:31,43 on 19/08/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP ?dition familiale 5.1.2600.3.1252.33.1036.18.1013.604 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\sy... Read more

Read other 3 answers
RELEVANCY SCORE 53.6

Hi,
Avast detects a root kit and asks if it should delete it, I say yes, it asks for a reboot and a boot scan which I agree..but then at the boot scan it doesn't detect anything and doesn't remove anything either. Later I get the message again stating that Avast has detected a rootkit in the c:system32 files..and I think it states that its in the drive:sfloppy.sys
I also did an Avast full scan which also shows that there is a threat but when asked to delete it ..it goes through the same process of restart>bootscan>nothing deleted and again the same pop up message.
I think Avast is unable to remove that threat.
Please help.

A:Avast detects a rootkit but is unable to delete it.

Here's the DDS report:

.
DDS (Ver_11-05-19.01) - FAT32x86
Internet Explorer: 8.0.6001.18702
Run by Digital choice at 23:54:03 on 2011-12-06
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.247.30 [GMT 5.5:30]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Digital choice\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
C:\Program Files\AVAST Software\Avast\defs\11120602\Sf.bin
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a59... Read more

Read other 11 answers
RELEVANCY SCORE 53.6

Not sure if this is a Malwarebytes issue or a Rollback rx issue
but after to days Malwarebytes update it flaged its self as malware lol
A scans done files checked on Virus total,

 

A:Malwarebytes Anti-Malware Detects its self as rootkit

Yea I have the same problem here :-D I see that they release some new update .
 

Read other 8 answers
RELEVANCY SCORE 53.6

Hi

I keep getting messages from Avast that a malicious URL has been blocked in process C:\windows\system32\svchost.exe
It also discovered a rootkit when I ran a boot scan.

I've tried to get rid of this but it keeps returning:(
Any help would be greatly appreciated.

Thanks.

A:Avast detects threat in svchost.exe + rootkit

OK now. TDSSKiller did the trick.

Read other 2 answers
RELEVANCY SCORE 53.2

http://sagearchetype.blogspot.in/2013/12/my-rootkit.html
 
Above are screen shots from gmer.
Do  I have a rootkit ?
 
Have Ran the following
Spybot,Malwarebytes,Microsoft Essentials,Avast Antivirus
haven't found any bugs.Have run ccleaner.
 
After running CHKDSK and again running gmer,the
alerts in the two screen shots than disappeared ??
My PC is awfully slow.Though I have only 1 GB RAM.
But the PC has become slower than before. 
 
Also ran other Anti Rootkit, Tdskiller and Rootkit Revealer,
and some others.
 
screen shots in above link.
 
 

A:Gmer log Do I have a rootkit ?

Can you post the logs for the tools you have ran?

Read other 16 answers
RELEVANCY SCORE 53.2

I believe I may have a rootkit problem. My machine started freezing up when coming out of screensaver. I was able to check the services, and found 374039819:4103779561.exe running. On reboot, although it is just 4++ bytes, it hung up for awhile before allowing the rest of the services to load.

My antivirus progs were 'inaccessible,' and could not be deleted (for a clean install). I ended up with Opencloud Security, but was able to download and run malwarebytes, which removed it (I believe). mbam worked for awhile before suffering the same fate as the other progs, but not until I realized it was blocking 'something' from accessing websites. I am assuming this is how Opencloud reached my 'puter.

I cannot run any helper programs in a normal boot. I can, however, boot to safe mode and/or w/networking, although I was having problems for awhile (the boot hung at mup.sys - this seems corrected). I ran dds and gmer while on safe mode. dds logs are below, but there was no way to save the gmer log without copying it explicitly. I am rerunning the scan to get the full log. The problem was that there was no 'copy' or 'save' button on my screen. I would assume that this is because safe mode puts me at 600x800, and the gmer display is larger than that. If not, I have no idea.

In normal boot, there is a svchost error at the user screen.

I normally don't run more than one antivirus, but you may see more than that in the logs.

This i... Read more

A:rootkit (gmer) --

Hi,Please do the following:Download ComboFix from one of the following locations:Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\C... Read more

Read other 19 answers
RELEVANCY SCORE 53.2

Hello. My computer was acting weird and i did a reinstall of windows because i thought i could have a rootkit. I deleted partitions and installed windows 7 with the CD.
So, I directly installed Gmer to check if its removed.
Here's the log. Please Help me guys.. I am so sad..
Are those false positives? is my system clear or am i still infected after reinstall of windows?
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-10-29 19:46:31
Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DM003-1CH162 rev.CC56 931,51GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\IsaUhr\AppData\Local\Temp\ffdiqpog.sys
---- Threads - GMER 2.1 ----
Thread C:\Windows\system32\svchost.exe [964:2596] 000007fefad31ebc
Thread C:\Windows\system32\svchost.exe [964:776] 000007feeb7fb1b0
---- EOF - GMER 2.1 ----

A:GMER ROOTKIT

Hi and Welcome!!   
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
The fixes are specific to your problem and should only be used for the issues on this machine.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
Please be sure to subscribe to the topic if you have not already done so.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
 
Having said that....     Let's get going!!  
----------
 
Since you reinstalled your operating system you are more than likely ok.  When you do that, the entire hard drive is wiped and all new information is install... Read more

Read other 6 answers
RELEVANCY SCORE 53.2

Hi,

Just before my recent move my PC began acting funny. I had just updated my program version of Zone Alarm Pro and their forum showed a lot of people having difficulties. As clearing this up involved a lot of time I left it until after my move. However the problems became worse. Using Norton System Works I discovered my CPU, RAM and Cache Memory were always at 100%. Even in Safe Mode, with only Microsoft's Malicious Software Removal Tool ( MMSRT) running, Task Manager still showed CPU at 100%. This got me thinking perhaps it's not ZAP - either I need more power or... I may have a rootkit.

I'll briefly describe a) the PC behavior, b) the steps I've taken and c) the results of the GMER scan below and hopefully someone will be able to help me.

PC Behaviour: Would freeze on Blue Screen after Boot Screen when I restarted but worked if I turned it off and then on/ Two system crashes, after which it rebooted and Microsoft Error Reporting reported one due two a device driver and the other as a corrupted error report. / A new printer icon under Printers in Control Panel ( which I deleted but don't think it uninstalled the driver) / IE, Windows Explorer, and other Win Apps "encountering problems and having to close down." / Blue Screen on some Startups and not others even if I turned it completely on and off. / Spyware Doctor not loading at Startup even though set to, plus it's sys tray icon sometimes not displaying even while Task Manager s... Read more

A:GMER says ROOTKIT - HELP PLEASE

Read other 10 answers
RELEVANCY SCORE 52.8

Hi guys,Well I'm here today to ask for some help. My computer recently got the Win32/Rootkit.Agent.ODG trojan and ESET NOD32 can't get rid of it. I've also tried Malwarebytes and it doesn't even detect it. So I was wondering, is there a way to get rid of this virus. And also, what harm can it do to my computer. Thank you very much,Armando.Edit: Moved topic from XP to the more appropriate forum. ~ Animal

A:Win32/Rootkit.Agent.ODG trojan, ESET detects it, but can't get rid of it. Please help!

Please download RootRepeal Rootkit Detector and save it to your Desktop. * Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan. * Click this link to see a list of such programs and how to disable them. * Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.) * Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator... * Click on the Files tab, then click the Scan button. * In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK. * When the scan has completed, a list of files will be generated in the RootRepeal window. * Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from. * Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply. * Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".

Read other 12 answers
RELEVANCY SCORE 52.4

Below is a log from GMER.  I am looking for a rootkit on a users system.  One may be there, one may not.  Please help! GMER 2.1.19163 - http://www.gmer.netRootkit scan 2013-08-31 14:12:58Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.CXM0 238.47GBRunning: upuwyqeu.exe; Driver: C:\Users\JOEVAN~1\AppData\Local\Temp\kwpirpob.sys---- Kernel code sections - GMER 2.1 ----INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544                                                                            fffff800031f2000 45 bytes [24, B8, 00, 00, 00, 48, 89, ...]INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 590                                                               &... Read more

A:Rootkit - GMER - Log reading

I do understand that:
 
.text     C:\Windows\SysWOW64\rpcnet.exe[2480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322                                                         0000000073ce1a22 2 bytes [CE, 73]
.text     C:\Windows\SysWOW64\rpcnet.exe[2480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496                                                         0000000073ce1ad0 2 bytes [CE, 73]
.text     C:\Windows\SysWOW64\rpcnet.exe[2480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552                                                         0000000073ce1b08 2 bytes [CE, 73]
.text &#... Read more

Read other 1 answers
RELEVANCY SCORE 52.4

Only thing I can post here is this initial log when gmer opens when I attempt to run gmer or dds scan computer hangs and I have to reset it.
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-07-30 15:45:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-3 ST3802110A rev.3.AAJ
Running: iexplorer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxadqaod.sys
---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xEE786BF2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xEE786A5D]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xEE7DE398]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem ... Read more

A:Nasty Rootkit won't let me run dds,gmer

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.The first thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these stepsDownload and run OTLDownload OTL by Old Timer and save it to your Desktop.Double click on OTL.exe to run it.Under Output, ensure that Minimal Output is selected.Under Extra Registry section, select Use SafeList.Click the Scan All Users checkbox.Under the Custom Scan box paste this in

%TEMP%\smtmp&... Read more

Read other 24 answers
RELEVANCY SCORE 52.4

I posted here the other day to get help about "something" that is badly affecting my laptop. I suspect it is the Seneka rootkit thing.

Instructions were given to me in the other thread I made and I have tried to follow them to the letter but whenever I try and run GMER Rootkit Scanner the laptop bluescreens and crashes.

I was able to run dds and get those logs but have now tried to run GMER Rootkit Scanner 5 times with no success.

It has even been an effort to try and post here because my browser keeps wanting to redirect me to ad sites

What do I do next if I can't run GMER Rootkit Scanner?

Bump

I received some advice in a PM that indicated I should post my dds.txt file as a starting point. So here it is.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Matt at 18:07:25.05 on Wed 29/09/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_18
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.61.1033.18.1015.332 [GMT 10:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k s... Read more

A:Can't run GMER Rootkit Scanner

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------Please download Rootkit Unhooker and save it to your desktop.
Right-click RKUnhookerLE.exe and choose 'Run as administator'.
Click the Report tab, then click Scan
Check Drivers and Stealth Code, Files, and Code Hooks
Uncheck the rest, then click OK
When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
Wait till the scanner has finished then go File > Save Report
Save the report somewhere you can find it. Click Close then Yes
Copy the entire contents of the report and paste it in your next reply.
Note: If you get a message 'Rootkit Unhooker has detected parasite inside itself!
It is recommended to remove parasite, okay?', click Okay

------------------------------------------------------

Read other 19 answers
RELEVANCY SCORE 52.4

closed

A:GMER found rootkit

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/438680 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 2 answers
RELEVANCY SCORE 52.4

Can you take a look at these logs please and let me know if I should just burn this computer? Thanks
 
GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2016-08-22 07:12:46
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\0000002d ST1000LM024_HN-M101MBB rev.2BA30001 931.51GB
Running: gmer.exe; Driver: C:\Users\Freedom\AppData\Local\Temp\agndipod.sys
---- Threads - GMER 2.2 ----
Thread   C:\WINDOWS\system32\csrss.exe [7812:8120]                                                                                                    fffffc6505056c20
---- Services - GMER 2.2 ----
Service  C:\WINDOWS\system32\svchost.exe (*** hidden *** )                                                        ... Read more

A:GMER says rootkit all over the its log file

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-08-2016 01
Ran by Freedom (administrator) on DESKTOP-3BKBK04 (22-08-2016 09:26:08)
Running from C:\Users\Freedom\Desktop
Loaded Profiles: Freedom (Available Profiles: Freedom)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security\Norton Security\Engine\22.7.1.32\ns.exe
() C:\Program Files\AVAST Software\SecureLine\VpnSvc.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security\Norton Security\Engine\22.7.1.32\ns.exe
(Dashlane, Inc.) C:\Users\Freedom\AppData\Roaming\Dashlane\Dashlane.exe
() C:\Users\Freedom\AppData\Roaming\Dashlane\DashlanePlugin.exe
(AVAST Software) C:\Program Files\AVAST Software\SecureLine\SecureLine.... Read more

Read other 1 answers
RELEVANCY SCORE 52.4

These are the results I obtained from a Gmer scan in safe mode. None of these were highlighted in red, btw is the red highlighting an indicator of harmful infection?

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-25 18:16:38
Windows 6.0.6002 Service Pack 2
Running: 9xibzucq.exe
---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\002186d2c7c5 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\[email protected] 0x0C 0xF1 0xA6 0xAE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186d2c7c5
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0x0C 0xF1 0xA6 0xAE ...
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\002186d2c7c5 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\S... Read more

A:Is Gmer detecting a rootkit?

Read other 6 answers
RELEVANCY SCORE 52.4

Avg tells me that this is the root kit culprit that is killing my processing
"C:\WINDOWS\System32\Drivers\akqmesdq.SYS";"Hidden driver";"Object is hidden"

And I can see the thing on Gmer! and the many many bits of it, but I have no idea how to get rid of it.

Any help would be great..I just reformatted this computer too
 

Read other answers
RELEVANCY SCORE 52.4

Hi, my computer show me strange errors and blue screen errrors and after scanning my pc by Gmer it tell me that my pc is infected by rootkit.I got sometimes, when i use some program or some antispyware like Superantispayware etc, windows show me a message in the task bar "...the file is corrupted. The file or directory is corrupted or unreadeble. Please run the Chkdsk utility." For example i made a scanning with gmer and it show me the same messge"Gmer.exe is corrupted. Please........"I made a scannin with Combofix and the message tell me "Prev.exe is corrupted. File or directory c:\$mft is corrupted or unreadeble. Please run the Chkdsk utility."and so on....and some times some blue screen error appear.So now i made some scanning and follow i attached the logs:1) Scanning with malawarebytes (it didn't find anything)2) Scanning with random system information tool by random/random3) Scanning with Gmer4) Scanning with DDS5) Scanning with Combofix I will send you the log of combofix and gmer when you tell me beacause at the moment the forum doesn't me allow to upload any other file.I hope to hear you soon.

A:Gmer tell i'm infected by rootkit

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 11 answers
RELEVANCY SCORE 52.4

Hi bleepingcomputer,
I  had suspicions that my pc can be infected for some time.
Possibly by someone i know/ came in contact with.
After mindlessly wondering and searching for adware and spyware using progs like RogueKiller, TCPView, Process Explorer etc
and trying to monitor my outgoing/incoming traffic, i  scanned my machine with GMER,  and to my surprise it told me that there is a system modification caused by ROOTKIT.
Here are some pics.
1. http://imgur.com/JwrMlma
2. http://imgur.com/JEiisrn
Here are some images from TCPView, regarding [system processes] and Remote Adresses to constantly changing hosts/IP's.
http://imgur.com/a/HyyxQ
http://imgur.com/a/6Ta9h
http://imgur.com/a/0oauz
I will appreciate any advice and idea regarding what this means and what to do.
Have logs from GMER regarding that matter.
I'm on Win10.
Thank you in advance.
7
Edit. After running subsequent GMER checks, more infected files popup, but shortly after the beginning of the scan i get BSOD with KERNEL SECURITY CHECK FAILURE.http://imgur.com/K3nmnkf
Edit 2: Got past the BSOD to get this on the next scanhttp://imgur.com/5eU3k61

A:Rootkit detected through GMER.

Hi helloseven
 
My name is polskamachina and I would like to welcome you the Malware Removal Forum. I will be helping you with your malware issues.
What follows below are some ground rules for this forum.
 
I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know. I am in California at GMT-8 hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.
Some points for you to keep in mind:
Do NOT run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine. Running any additional tools may detect false positives, interfere with our tools, cause unforeseen damage, or system instability.
Do not attach logs or use code boxes, just copy and paste the text.
I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
NOTE: It is good practice to c... Read more

Read other 20 answers
RELEVANCY SCORE 52.4

Everytime I try and run the GMER Rootkit Scanner, it freezes on \Device\RKSAMPLE0 and the computer freezes, after 15-20 minutes I unplugged the computer to start it up again and tried it again but it's the same thing each time. Is there another program I can run to have you guys read the report to see why my computer is running sooo slow?

Paul Miller

A:Can't use GMER Rootkit Scanner

I hope someone can see something here that I can remove to get things working normal again, sometimes it takes 3-5 minutes for anything to open, my home page, outlook express, even just a folder.
Thank you for any help you can provide.

Paul


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-25 23:58:02
Windows 5.1.2600 Service Pack 3
Running: new program from techsupportforum.com; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwwcafow.sys


---- Kernel code sections - GMER 1.0.15 ----

? SYMEFA.SYS The system cannot find the file specified. !
init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF8B2B300]

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-... Read more

Read other 1 answers
RELEVANCY SCORE 52.4

Hello

I did a check on my system with GMER and it says that I have a rootkit-like behaviour on sector 63 and on some other sectors. Am I infected with something? I mention that I have TrueCrypt installed on this system, but this is still very strange. Here is the GMER log. Thanks !

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-10 08:40:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD5000BEVT-22ZAT0 rev.01.01A01
Running: gmer.exe; Driver: C:\DOCUME~1\DANUT0~1\LOCALS~1\Temp\aftiikow.sys
---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 976772912 (+255): rootkit-like behavior;

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xA3B587BC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xA3B58A12]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B955AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B955AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP... Read more

A:GMER rootkit-like behavior ?

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 3 answers
RELEVANCY SCORE 52.4

I scanned with GMER Today and found this
 
GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2016-10-02 19:02:33
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000038 ST1000DM003-1ER162 rev.CC46 931.51GB
Running: gmer.exe; Driver: C:\Users\AJ\AppData\Local\Temp\kwrcrpow.sys
 
 
---- Threads - GMER 2.2 ----
 
Thread   C:\WINDOWS\system32\csrss.exe [7664:8908]                                                                                      fffffb494b596c20
Thread    [6480:5972]                                                                                                                   0000000063d401c7
Thread    [6480:1540]                                                                                      ... Read more

A:GMER Detected A rootkit...

Hi HYTTIOAOA My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;If yo... Read more

Read other 0 answers
RELEVANCY SCORE 52.4

Hello
 
I suspect my entire home network being infected. Currently having problems with another computer aswell. I ran a GMER scan and Farbar scan on this PC and posted the logs below. GMER picked up rootkit activity. Posted two logs, the GMER log and FRST log.
Grateful for your help.
 
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-08-2016
Ran by Priit (administrator) on PRIIDU-SAMSA (07-09-2016 10:48:07)
Running from C:\Users\Priit\Documents\fox
Loaded Profiles: Priit (Available Profiles: Priit & Administrator)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Foxit Software Inc.) C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
(Microsoft Corporation) C:\P... Read more

Read other answers
RELEVANCY SCORE 52.4

Hi bleepingcomputer,
I  had suspicions that my pc can be infected for some time.
Possibly by someone i know/ came in contact with.
After mindlessly wondering and searching for adware and spyware using progs like RogueKiller, TCPView, Process Explorer etc
and trying to monitor my outgoing/incoming traffic, i  scanned my machine with GMER,  and to my surprise it told me that there is a system modification caused by ROOTKIT.
Here are some pics.
1. http://imgur.com/JwrMlma
2. http://imgur.com/JEiisrn
I will appreciate any advice and idea regarding what this means and what to do.
Have logs from GMER regarding that matter.
I'm on Win10.
Thank you in advance.
7
Edit. After running subsequent GMER checks, more infected files popup, but shortly after the beginning of the scan i get BSOD with KERNEL SECURITY CHECK FAILURE.http://imgur.com/K3nmnkf
Edit 2: Got past the BSOD to get this on the next scanhttp://imgur.com/5eU3k61
 

Read other answers
RELEVANCY SCORE 52.4

Hello
 
I suspect my entire home network being infected. Currently having problems with another computer aswell. I ran a GMER scan and Farbar scan on this PC and posted the logs below. GMER picked up rootkit activity. Posted two logs, the GMER log and FRST log.
Grateful for your help.
 
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-08-2016
Ran by Priit (administrator) on PRIIDU-SAMSA (07-09-2016 10:48:07)
Running from C:\Users\Priit\Documents\fox
Loaded Profiles: Priit (Available Profiles: Priit & Administrator)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Foxit Software Inc.) C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
(Microsoft Corporation) C:\P... Read more

A:GMER detected a rootkit

Welcome to Bleeping Computer's Malware Removal Logs area. My name is Sintharius. I will assist you with your problem.Please allow me some time to review your logs with my instructor and I will be back with instructions.Can you describe exactly what problems you are having with your computers? Additional details would be greatly appreciated.Also please post the Addition.txt that comes with FRST.txt the first time FRST is run.

Read other 0 answers
RELEVANCY SCORE 52.4

Hello

I did a check on my system with GMER and it says that I have a rootkit-like behaviour on sector 63 and on some other sectors. Am I infected with something? I mention that I have TrueCrypt installed on this system, but this is still very strange. Here is the GMER log. Thanks !

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-10 08:40:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD5000BEVT-22ZAT0 rev.01.01A01
Running: gmer.exe; Driver: C:\DOCUME~1\DANUT0~1\LOCALS~1\Temp\aftiikow.sys
---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 976772912 (+255): rootkit-like behavior;

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xA3B587BC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xA3B58A12]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B955AB... Read more

A:GMER rootkit-like behavior ?

Hello dubteam2000 ,I've read your post, and from the description you give, and the log you posted, I *think* you can relax. BUT......to be sure I'd like to ask if you've had any problems that lead you to believe you have malware anywhere on your computer? I'd like to see a DDS log as well. Directions for it are here: http://www.bleepingcomputer.com/forums/topic34773.htmlThanks,tea

Read other 2 answers
RELEVANCY SCORE 52.4

Greetings!
 
Last night during a routine scan with GMER, in the first minute when GMER initializes, the very first line state possible rootkit.
 
Note that Roguekiller x64 has been flagging a few files/registry entries as orange in the past week or so too.  some disappeared during the last Roguekiller version update, so apparantly were false positives that have been white listed.
 
I have Avast Free installed, Malwarbytes full installed, use various others to keep system clean.
 
Seeking assistance to run other software to identify and fix problem, or feelassured that it is nothing.
 
Thank you,
 
Bill
 
 

A:GMER Identified Possible Rootkit

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems. Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please run a FRST scan. This will help us diagnose your problem.Please download Farbar Recovery... Read more

Read other 16 answers
RELEVANCY SCORE 52.4

These definitely doesn't seem like normal output to me. Been having some connection problems recently as well.HJT log follows the GMER log -GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-27 11:15:29
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9250320AS rev.DE06
Running: oyo9f5n9.exe; Driver: C:\Users\Damon\AppData\Local\Temp\pxldapog.sys
---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A473C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A80D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[2660] ntdll.dll!LdrGetProcedureAddress + 26 77422239 7 Bytes JMP 69B10C00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2660] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D ... Read more

A:I think I have a rootkit/trojan (GMER log)

Hi DamonToo, to Bleeping Computer.My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.Some things to remember while we are working together.Do not run any other tool untill instructed to do so!Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can also help.Do not run anything while running a fix.If you don't understand a step, please ask for clarification before continuing with any future steps.Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum. Please take note:If you have since resolved the original problem you were having, I would appreciate you letting me know. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these characteristics just post what you can and I will guide you.Please tell me if you have your original Window... Read more

Read other 7 answers
RELEVANCY SCORE 52.4

Here's what it found:

Object Name: C:\WINDOWS\System32\Drivers\alut8q84.SYS
Detection Name: Hidden Driver
Object Type: File
SDK Type: Rootkit
Operating System is Windows XP SP3

Any help would be much appreciated. Thanks

A:security software detects rootkit but doesn't remove effectively

Not a lot of info there, dqkdqk. What did you scan it with to find it? What other security software do you have on your computer ready to go to work?

Read other 19 answers
RELEVANCY SCORE 52.4

Hi
Firstly thank you for your time,

I have been infectected with various popups from casinos, advets etc. Spyware Doctor 5.0.5 258 detects this nasty and removes it, only for it to come back on reboot/ re scan? C:/windows/sytem32/ drivers/core.cache.dsk Iam running Win XP SP2
Comodo anti Virus (Done full scan latest updates)
Comodo firewall pro
Pest Control ( Full scan Latest Updates)
Spyware Doctor (Full scan Latest updates)
Also I have ran cwshredder,Trend Housecall online, ad-ware pro, Spybot + Windows Defender, Sdfix, and COMBOFIX (which one d/load had a virus!)
Iam not 100% if I ran SDFIX & COMBOFIX correctly, but neither return any virus etc
I was thinking of running Spyware doctor in SAFE mode, but a warning Message says it's not advisable!
Any help would be gratefully recieved Iam going NUTSHere's the log

Scan saved at 21:58:10, on 15/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\Firewall\cm... Read more

A:Spyware Doctor detects rootkit adgent but dosn't delete? HELP ME PLZ :)

Ran SDFix
The file is attached as a txt notepad file. I couldn't post in forum, as it was too long!
Thanks.
 

Read other 1 answers
RELEVANCY SCORE 52

Computer locks up or Blue Screens with internet browsers, IE, Firefox, Chrome.Sorry, computer locks up regularly...Could not generate a GMER file, but the inital file screen at start-up said:sector 00: Rootkit-like behaviorsector 10: Rootkit-like behaviorsector 11: Rootkit-like behaviorSector 57: Rootkit-like behaviorSector 63: Rootkit-like behaviorDDS (Ver_10-03-17.01) - NTFSx86 Run by Cathy at 20:54:50.64 on Sun 07/04/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.315 [GMT -7:00]AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\HP\h... Read more

A:GMER: Sector 00: Rootkit like behavior

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 26 answers
RELEVANCY SCORE 52

Hello, 
 
I have had 6 rootkit activity logs in gmer (C:\WINDOWS\system32\svchost.exe (*** hidden *** ) so I've run popular bleeping computer scans because I am an active reader and big fan of Bleeping (Malwarebytes Anti-Rootkit and antimalware, Rogue Killer, Eset nod online scanner, JRT, TFC, adwcleaner, sofos antivirus and sofos hitmanpro and Norton power eraser that found a dns problem and solved it). After the scans  - I repaired alot of infections and junk programs, about 7 includng some junk program   -  I've run windows repair all-in-on and repaired everything I could. I can already see an improvement since I am able to start and finish antivirus scans. Ok why I did the scans: laptop behaved as if it was hijacked with pop up windows opening and closing randomly and sometimes very fast, also the touchpad has become unresponsive and the right button stopped working (might be a hardware problem I thought because with mouse it behave better). After all these scans and repairs I can still see the ''gmer has found rootkit activity'' but the number of rootkits is reduced to two:
 
C:\Windows\system32\ikeext.dll (*** hidden ****) [Manual] IKEEXT
C:\Windows\system32\Tabsvc.dll (*** hidden ****) [AUTO] TabletInputService 
 
all the above in red, 
 
now usually I am able to resolve the aforementioned problems alone with the above programs but not this time, these programs are unable to solve the gmer log p... Read more

Read other answers