Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help removing Rookit? [CLOSED]

Started by pablo86 , May 01 2008 09:51 AM

  • This topic is locked This topic is locked

#1
pablo86
Posted 01 May 2008 - 09:51 AM

pablo86

    New Member

  • Member
  • Pip
  • 9 posts
File Name: MBR: \\PHYSICALDRIVE0
Type: Rookit" hidden file

Please Help



ComboFix 08-04-22.5 - tamara 2008-05-01 8:43:57.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.149 [GMT -7:00]
Running from: C:\Documents and Settings\tamara\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\RKLE.tmp.sys

.
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-04-30 13:43 . 2008-04-30 13:43 485,888 --a------ C:\Documents and Settings\tamara\installer.exe
2008-04-28 09:20 . 2008-04-28 09:20 0 --ahs---- C:\Documents and Settings\tamara\Application Data\004815eb83f768afd8b499638152ef758d369fe5092690df6a.dat
2008-04-24 09:18 . 2008-04-24 09:18 <DIR> d-------- C:\Documents and Settings\tamara\Application Data\Malwarebytes
2008-04-24 09:17 . 2008-04-24 09:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-24 09:17 . 2008-04-24 09:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 14:14 . 2008-04-22 14:55 <DIR> d--h----- C:\$AVG8.VAULT$
2008-04-22 13:18 . 2008-04-22 13:21 <DIR> d-------- C:\Documents and Settings\tamara\Application Data\AVGTOOLBAR
2008-04-22 13:18 . 2008-04-22 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-22 11:20 . 2008-04-22 11:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-22 10:40 . 2008-04-22 12:32 <DIR> d-------- C:\Documents and Settings\tamara\.housecall6.6
2008-04-22 09:46 . 2008-04-22 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-09 15:44 . 2008-04-09 15:44 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 15:38 --------- d-----w C:\Documents and Settings\tamara\Application Data\DNA
2008-04-30 17:16 --------- d-----w C:\Documents and Settings\tamara\Application Data\LimeWire
2008-04-30 17:14 --------- d-----w C:\Program Files\LimeWire
2008-04-25 18:39 --------- d-----w C:\Program Files\Viewpoint
2008-04-25 18:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-22 18:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-10 22:06 --------- d-----w C:\Documents and Settings\tamara\Application Data\Apple Computer
2008-04-09 22:45 --------- d-----w C:\Program Files\iTunes
2008-04-09 22:41 --------- d-----w C:\Program Files\QuickTime
2008-04-09 20:03 --------- d-----w C:\Program Files\SopCast
2008-03-21 15:08 --------- d-----w C:\Program Files\Yahoo!
2008-03-21 15:08 --------- d-----w C:\Documents and Settings\tamara\Application Data\Yahoo!
2008-03-21 15:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-14 15:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-03 23:58 --------- d-----w C:\Documents and Settings\tamara\Application Data\gtk-2.0
2008-03-02 01:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-23_14.43.07.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 01:12:42 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-01 15:39:56 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-01 15:40:11 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_178.dat
+ 2008-05-01 15:40:02 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 20:44 1200128]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 08:08 288576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 00:04 114741]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 18:47 204800]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NoticeP.exe"="C:\Program Files\Impact Software LLC\iSync 2.1\NoticeP.exe" [2006-06-07 19:57 16384]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 11:37 79224]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 23:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 23:07 114688]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\tamara\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2008-02-11 13:46:40 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.fraunhoferacm"= l3codecp.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"19625:TCP"= 19625:TCP:BitComet 19625 TCP
"19625:UDP"= 19625:UDP:BitComet 19625 UDP

R0 PzWDM;PzWDM;C:\WINDOWS\system32\Drivers\PzWDM.sys [2007-07-11 13:12]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 11:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 11:35]
S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};C:\WINDOWS\TEMP\1C9.tmp []
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 16:18]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 03:31:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 08:46:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]
"ImagePath"="\??\C:\WINDOWS\TEMP\1C9.tmp"
.
Completion time: 2008-05-01 8:49:21
ComboFix-quarantined-files.txt 2008-05-01 15:49:08
ComboFix2.txt 2008-04-25 15:25:49
ComboFix3.txt 2008-04-24 17:14:53
ComboFix4.txt 2008-04-23 21:45:22

Pre-Run: 58,311,618,560 bytes free
Post-Run: 58,586,271,744 bytes free

136 --- E O F --- 2008-04-08 23:08:52
  • 0

Advertisements

#2
Rorschach112
Posted 01 May 2008 - 12:08 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

  • 0

#3
Rorschach112
Posted 06 May 2008 - 05:03 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP