Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

rootkit and trojan problems

Started by hXc232 , May 11 2011 02:38 PM

  • This topic is locked This topic is locked

#1
hXc232
Posted 11 May 2011 - 02:38 PM

hXc232

    Member

  • Member
  • PipPip
  • 10 posts
it seems there has been some malware hiding pretty well in my computer as my anti-virus didn't pick anything up at all, it was only when i went to install avast that winpatrol flagged up that a rootkit had attempted to attach itself to it. however, after scanning and attempting to delete these files several times, including a boot time scan, the problem is still persisting. the trojan is the alureon virus, the only kind of identification i can give for the rootkit is MBR:\\.\PHYSICALDRIVE0, i can't seem to find any other information on it.

i also ran Trend Micro Rootkit Buster and it flagged up 30 hidden files but it too said it was unable to delete them. here's the log that TMRB returned:

--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Recording\Restricted
Root : 0
SubKey : Restricted
ValueName : ccc
Data : 48 E7 E 92 58 B3 13 E6 ...
ValueType : 3
AccessType: 0
FullLength: 0x66
DataSize : 0xc8
1 hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

--== Service Win32 API Hook List ==--
[HOOKED_SERVICE_API]:
Service API : ZwAddBootEntry
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x828ceec6
CurrentHandler : 0x9e51b202
ServiceNumber : 0x9
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateEvent
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x8282bd37
CurrentHandler : 0x9e51d7f0
ServiceNumber : 0x3a
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateEventPair
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x828d4584
CurrentHandler : 0x9e51d848
ServiceNumber : 0x3b
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateIoCompletion
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x827e5907
CurrentHandler : 0x9e51d95e
ServiceNumber : 0x3d
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateMutant
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x828397bc
CurrentHandler : 0x9e51d746
ServiceNumber : 0x43
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateSection
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x8284ad95
CurrentHandler : 0x9e51d898
ServiceNumber : 0x4b
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateSemaphore
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x827f0cc3
CurrentHandler : 0x9e51d79a
ServiceNumber : 0x4c
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateTimer
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x827d3a9f
CurrentHandler : 0x9e51d90c
ServiceNumber : 0x4f
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwDeleteBootEntry
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x828ceef7
CurrentHandler : 0x9e51b226
ServiceNumber : 0x78
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwLoadDriver
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x82784dee
CurrentHandler : 0x9e51aff0
ServiceNumber : 0xa5
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwModifyBootEntry
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x828cf0c7
CurrentHandler : 0x9e51b24a
ServiceNumber : 0xb2
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwNotifyChangeKey
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x827d85d9
CurrentHandler : 0x9e51dd56
ServiceNumber : 0xb5
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwNotifyChangeMultipleKeys
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x827d7a51
CurrentHandler : 0x9e51bcda
ServiceNumber : 0xb6
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenEvent
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x82812d5f
CurrentHandler : 0x9e51d820
ServiceNumber : 0xb8
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenEventPair
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x828d46b3
CurrentHandler : 0x9e51d870
ServiceNumber : 0xb9
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenIoCompletion
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x828866cd
CurrentHandler : 0x9e51d988
ServiceNumber : 0xbb
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenMutant
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x8282aaf1
CurrentHandler : 0x9e51d772
ServiceNumber : 0xbf
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenSection
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x8282a5fd
CurrentHandler : 0x9e51d8d8
ServiceNumber : 0xc5
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenSemaphore
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x827beebe
CurrentHandler : 0x9e51d7c8
ServiceNumber : 0xc6
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenTimer
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x828d430f
CurrentHandler : 0x9e51d936
ServiceNumber : 0xcc
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwQueryObject
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x827ff343
CurrentHandler : 0x9e51bba0
ServiceNumber : 0xed
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSetBootEntryOrder
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x828cf7f8
CurrentHandler : 0x9e51b26e
ServiceNumber : 0x11f
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSetBootOptions
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x828cfcfa
CurrentHandler : 0x9e51b292
ServiceNumber : 0x120
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSetSystemInformation
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x827ffe83
CurrentHandler : 0x9e51b04a
ServiceNumber : 0x13d
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSetSystemPowerState
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x828f30a1
CurrentHandler : 0x9e51b186
ServiceNumber : 0x13e
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwShutdownSystem
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x828cc3a1
CurrentHandler : 0x9e51b162
ServiceNumber : 0x146
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSystemDebugControl
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x82811e51
CurrentHandler : 0x9e51b1aa
ServiceNumber : 0x14c
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwVdmControl
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x828c0ee3
CurrentHandler : 0x9e51b2b6
ServiceNumber : 0x15d
ModuleName : aswSnx.SYS
SDTType : 0x0


--== Dump Hidden Port ==--
No hidden ports found.

--== Dump Kernel Code Patching ==--
[KERNEL_CODE][PATCHED]:
Service API : ZwCreateProcessEx
Address : 828AADAE
CurrentCode : E9B349AA1C
ExpectedCode : 6A0C681818
ServiceNumber : 0x49
SDTType : 0x0
1 Kernel code patching found.

--== Dump Hidden Services ==--
No hidden services found.






it has also been having occasional minor bluescreen errors (or that is what it was according to the error report) where it goes to a black screen with a blue banner saying it is dumping the physical memory then boots up again.

any help at all would be greatly appreciated

cheers
Ross
  • 0

Advertisements

#2
Render
Posted 16 May 2011 - 06:32 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi, hXc232! Welcome to GeeksToGo! My nick name is Render and I will be assisting you with your Malware/Security problems. Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out :)

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just in case you are unable to access this site.

Please note:
  • Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
  • Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.

Sorry for the delay.

Please follow the steps below:

Step 1

  • Please download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it.

    Posted Image
  • Click the Scan button to start scan.

    Posted Image
  • On completion of the scan click Save log, save it to your desktop and post in your next reply.

Step 2

Posted Image OTL Custom Scan

  • Download OTL to your desktop.
  • Double click on the Posted Image icon to run it.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top, make sure Stadard output is selected.
  • Select Scan all users
  • Under the Extra Registry section, check Use SafeList
  • Check the boxes beside LOP Check and Purity Check.
  • Copy (select all lines inside quote box and press CTRL+C) and Paste (press CTRL+V) the following code into the Posted Image textbox.

    netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT
  • Click the Posted Image button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

When completed the above, please post back the following in the order asked for:
  • aswMBR log
  • OTL log
  • Extras log

  • 0

#3
Render
Posted 02 June 2011 - 07:39 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP