Jump to content

Welcome Guest to Geeks to Go - Register now for FREE
Geeks To Go is a helpful hub, where thousands of friendly volunteers serve up answers and support. Get free advice from the experts. Feel free to browse the site as a guest. However, you must log in to reply to existing topics or start a new topic of your own, and enjoy all this forum has to offer. Additionally, if you can assist another member by sharing your knowledge, please post a reply! Best of all - Registration and all assistance, is FREE! Learn more about How it Works. Infected? Malware Cleaning Guide. What are you waiting for?
Create an Account Login to Account

Persistant Rootkit [Solved]


  • This topic is locked This topic is locked

#31
Teima

Teima

    Geek in Training

  • GeekU Senior
  • 669 posts
Hello GUBID,

Why would AVG "find" an infection then not find it and then later find it again?

It's more or less an issue from AVG. As their detections are based on Heuristics and signatures. There must have been a conflict somewhere in the process which resulted in this False Positive and triggered these alerts. ;)

On the video front it's pretty much any Youtube video I decide to fast forward!

Ok! Thanks for the additional information. When loading the video have you noticed slow buffering speeds by any chance? And hence the issue is faced whilst trying to fast forward?

Step One

1. Go to Start -> (Settings) -> Control Panel.
2. Open (Programs) -> Programs and Features, or Add or Remove Programs.
3. Select AVG 2013 in the list of programs.
4. Click the Uninstall or Change/Remove button.
5. Follow the instructions on your screen to complete the uninstall.

Step Two

It is important that you install an anti-virus. With that in mind. Please note that you should only ever have one of these installed on the machine. As multiple antivirus programs will lead to conflicts and will also cause other issues at a later date.

Either of the below will suffice:-

Should you require any assistance with the install. Please let me know and I'll offer some further instructions. :)
  • 0

Advertisement


#32
GUBID

GUBID

    Member

  • Member
  • PipPip
  • 29 posts
Thanks for those links Teima.
I think I will persevere with AVG for the time being.
  • 0

#33
Teima

Teima

    Geek in Training

  • GeekU Senior
  • 669 posts
Hello GUBID,

No worries. Now let us turn back to the other issue which is faced. When loading the video have you noticed slow buffering speeds by any chance? And hence the issue is faced whilst trying to fast forward?
  • 0

#34
GUBID

GUBID

    Member

  • Member
  • PipPip
  • 29 posts
Buffering? Is that how long it takes the video to load? Yeah, it can seem slow. That's probably down to the age of my laptop more than anything else!
I thought the disconnection was related to the "rootkit", but if the root kit doesn't exist then it can't be.
AVG is no longer finding the infection by the way!!
  • 0

#35
Teima

Teima

    Geek in Training

  • GeekU Senior
  • 669 posts
Hello GUBID,

Buffering? Is that how long it takes the video to load? Yeah, it can seem slow. That's probably down to the age of my laptop more than anything else!

Yes. That's correct. Typically these sorts of issues reside with the Internet and not usually the computer itself. Allow me to delve into this issue further. :)

Step One

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following.
:Files
ipconfig /release /c
ipconfig /renew /c
ipconfig /flushdns /c
netsh winsock reset all /c
netsh int ip reset all /c

:Commands
[EmptyTemp]
  • Click run fix.
  • OTL may ask to reboot the machine. Please click the OK button if prompted.
Step Two

Please download MiniToolBox from here and save it to your desktop.

Run it and place a checkmark within the following checkboxes:

  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List IP Configuration
  • List Wicksock Entries
  • List Last 10 Even Viewer Errors
  • List Devices - Only Problems
Click Go and paste the content into your next response.
  • 0

#36
GUBID

GUBID

    Member

  • Member
  • PipPip
  • 29 posts
Hello Teima, thanks for getting back to me. I'm in the middle of a long stretch at work, 13 hour days, so will get back to you over the weekend.
  • 0

#37
GUBID

GUBID

    Member

  • Member
  • PipPip
  • 29 posts
There was no output from the OTL.
The output from Mini Toolbox was:

MiniToolBox by Farbar Version: 13-07-2013
Ran by GUB (ATTENTION: The logged in user is not administrator) on 07-09-2013 at 08:15:15
Running from "C:\Users\GUB\Downloads"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= IP Configuration: ================================

Intel® WiFi Link 5100 AGN = Wireless Network Connection (Connected)
Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Shaun-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : home

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : Intel® WiFi Link 5100 AGN
Physical Address. . . . . . . . . : 00-21-5D-A7-9B-7E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8da8:2b4:27b1:e9f4%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.64(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 07 September 2013 08:10:48
Lease Expires . . . . . . . . . . : 08 September 2013 08:10:48
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 318772970
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-E0-6E-52-00-1D-BA-85-20-3B
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller
Physical Address. . . . . . . . . : 00-1D-BA-85-20-3B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : isatap.home
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{90B9F76B-DCD6-4562-B255-78470354B63C}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 14:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: BThomehub.home
Address: 192.168.1.254

Name: google.com
Addresses: 2a00:1450:4009:805::1008
173.194.34.161
173.194.34.169
173.194.34.163
173.194.34.167
173.194.34.160
173.194.34.168
173.194.34.174
173.194.34.164
173.194.34.165
173.194.34.162
173.194.34.166



Pinging google.com [173.194.34.163] with 32 bytes of data:

Reply from 173.194.34.163: bytes=32 time=29ms TTL=52

Reply from 173.194.34.163: bytes=32 time=30ms TTL=52



Ping statistics for 173.194.34.163:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 29ms, Maximum = 30ms, Average = 29ms

Server: BThomehub.home
Address: 192.168.1.254

Name: yahoo.com
Addresses: 98.138.253.109
206.190.36.45
98.139.183.24



Pinging yahoo.com [206.190.36.45] with 32 bytes of data:

Reply from 206.190.36.45: bytes=32 time=186ms TTL=47

Reply from 206.190.36.45: bytes=32 time=189ms TTL=47



Ping statistics for 206.190.36.45:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 186ms, Maximum = 189ms, Average = 187ms



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
11 ...00 21 5d a7 9b 7e ...... Intel® WiFi Link 5100 AGN
10 ...00 1d ba 85 20 3b ...... Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller
1 ........................... Software Loopback Interface 1
17 ...00 00 00 00 00 00 00 e0 isatap.home
16 ...00 00 00 00 00 00 00 e0 isatap.{90B9F76B-DCD6-4562-B255-78470354B63C}
15 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.64 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.64 281
192.168.1.64 255.255.255.255 On-link 192.168.1.64 281
192.168.1.255 255.255.255.255 On-link 192.168.1.64 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.64 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.64 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
11 281 fe80::/64 On-link
11 281 fe80::8da8:2b4:27b1:e9f4/128
On-link
1 306 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\system32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Windows\system32\wshbth.dll [34304] (Microsoft Corporation)
Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 25 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 26 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 27 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 28 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 29 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 30 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 31 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 32 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 33 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (09/07/2013 08:08:21 AM) (Source: VzCdbSvc) (User: )
Description: Failed to load the plug-in module. (GUID = {56F9312C-C989-4E04-8C23-299DEE3A36F5})(Error code = 0x80042019)

Error: (09/07/2013 08:08:21 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/07/2013 08:04:44 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\GUB\DESKTOP\CMD.BAT> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog


Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (09/07/2013 07:57:34 AM) (Source: VzCdbSvc) (User: )
Description: Failed to load the plug-in module. (GUID = {56F9312C-C989-4E04-8C23-299DEE3A36F5})(Error code = 0x80042019)

Error: (09/07/2013 07:57:34 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/05/2013 09:38:48 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/05/2013 09:38:47 PM) (Source: VzCdbSvc) (User: )
Description: Failed to load the plug-in module. (GUID = {56F9312C-C989-4E04-8C23-299DEE3A36F5})(Error code = 0x80042019)

Error: (09/03/2013 10:58:00 AM) (Source: VzCdbSvc) (User: )
Description: Failed to load the plug-in module. (GUID = {56F9312C-C989-4E04-8C23-299DEE3A36F5})(Error code = 0x80042019)

Error: (09/03/2013 10:57:59 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/02/2013 08:02:03 AM) (Source: VzCdbSvc) (User: )
Description: Failed to load the plug-in module. (GUID = {56F9312C-C989-4E04-8C23-299DEE3A36F5})(Error code = 0x80042019)


System errors:
=============
Error: (09/07/2013 08:08:22 AM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (09/07/2013 08:04:30 AM) (Source: Service Control Manager) (User: )
Description: Ati External Event Utility1

Error: (09/07/2013 07:57:34 AM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (09/06/2013 07:17:41 AM) (Source: Service Control Manager) (User: )
Description: ScRegSetValueExWFailureActions%%5

Error: (09/05/2013 09:38:48 PM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (09/05/2013 09:38:23 PM) (Source: Microsoft-Windows-ResourcePublication) (User: NT AUTHORITY)
Description: Provider\Microsoft.Base.Publication/Publication/Computer

Error: (09/04/2013 02:37:47 AM) (Source: Service Control Manager) (User: )
Description: ScRegSetValueExWFailureActions%%5

Error: (09/03/2013 10:57:59 AM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (09/02/2013 11:50:24 PM) (Source: Service Control Manager) (User: )
Description: ScRegSetValueExWFailureActions%%5

Error: (09/02/2013 08:02:03 AM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058


Microsoft Office Sessions:
=========================
Error: (06/02/2011 11:55:39 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 14 seconds with 0 seconds of active time. This session ended with a crash.

Error: (05/27/2011 11:11:20 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 12 seconds with 0 seconds of active time. This session ended with a crash.

Error: (05/04/2011 10:15:36 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2 seconds with 0 seconds of active time. This session ended with a crash.

Error: (03/21/2011 09:54:53 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3 seconds with 0 seconds of active time. This session ended with a crash.

Error: (03/21/2011 01:32:13 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2 seconds with 0 seconds of active time. This session ended with a crash.

Error: (03/21/2011 01:02:14 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3 seconds with 0 seconds of active time. This session ended with a crash.

Error: (03/21/2011 00:57:34 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2 seconds with 0 seconds of active time. This session ended with a crash.

Error: (03/18/2011 11:51:45 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2 seconds with 0 seconds of active time. This session ended with a crash.

Error: (03/16/2011 11:54:12 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 8 seconds with 0 seconds of active time. This session ended with a crash.

Error: (03/15/2011 11:27:46 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2 seconds with 0 seconds of active time. This session ended with a crash.


CodeIntegrity Errors:
===================================
Date: 2013-08-19 13:23:21.927
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-08-19 13:23:21.649
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-08-19 13:23:21.370
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-08-19 13:23:21.086
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-08-19 13:23:20.807
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-08-19 13:23:20.523
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-08-19 13:23:20.195
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\avgidsdriverx.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-08-19 13:23:19.917
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\avgidsdriverx.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-08-19 13:23:19.634
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\avgidsdriverx.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-08-19 13:23:19.356
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\avgidsdriverx.sys because the set of per-page image hashes could not be found on the system.


========================= Devices: ================================


**** End of log ****
  • 0

#38
Teima

Teima

    Geek in Training

  • GeekU Senior
  • 669 posts
Hello GBUID. Thanks for the response. Would you be able to see if the OTL logfile can be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created. :)
  • 0

#39
GUBID

GUBID

    Member

  • Member
  • PipPip
  • 29 posts
I found it.

All processes killed
========== FILES ==========
< ipconfig /release /c >
Windows IP Configuration
No operation can be performed on Wireless Network Connection while it has its media disconnected.
No operation can be performed on Local Area Connection while it has its media disconnected.
C:\Users\GUB\Desktop\cmd.bat deleted successfully.
C:\Users\GUB\Desktop\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
No operation can be performed on Wireless Network Connection while it has its media disconnected.
No operation can be performed on Local Area Connection while it has its media disconnected.
C:\Users\GUB\Desktop\cmd.bat deleted successfully.
C:\Users\GUB\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\GUB\Desktop\cmd.bat deleted successfully.
C:\Users\GUB\Desktop\cmd.txt deleted successfully.
< netsh winsock reset all /c >
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
C:\Users\GUB\Desktop\cmd.bat deleted successfully.
C:\Users\GUB\Desktop\cmd.txt deleted successfully.
< netsh int ip reset all /c >
Reseting Echo Request, OK!
Reseting Global, OK!
Reseting Interface, OK!
A reboot is required to complete this action.
C:\Users\GUB\Desktop\cmd.bat deleted successfully.
C:\Users\GUB\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 6726467 bytes
->Flash cache emptied: 56625 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Grace
->Temp folder emptied: 132884 bytes
->Temporary Internet Files folder emptied: 2697247 bytes
->Java cache emptied: 71172 bytes
->FireFox cache emptied: 46524612 bytes
->Flash cache emptied: 1482 bytes

User: GUB
->Temp folder emptied: 696728 bytes
->Temporary Internet Files folder emptied: 3205197 bytes
->Java cache emptied: 255950 bytes
->FireFox cache emptied: 6448295 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 57998 bytes

User: Guest
->Temp folder emptied: 273536 bytes
->Temporary Internet Files folder emptied: 293035 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 211938202 bytes
->Flash cache emptied: 57309 bytes

User: Public

User: Shaun
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 131072 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 34135521 bytes
->Flash cache emptied: 56979 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 6140005 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 12189992 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 317.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 09072013_080430
  • 0

#40
Teima

Teima

    Geek in Training

  • GeekU Senior
  • 669 posts
Perfect. Have you noticed a difference with watching videos on Youtube since running that fix within OTL mate?
  • 0
<

Advertisement


#41
GUBID

GUBID

    Member

  • Member
  • PipPip
  • 29 posts
No change Teimna.
  • 0

#42
Teima

Teima

    Geek in Training

  • GeekU Senior
  • 669 posts
Hello GUBID,

I have spoken to my instructor and we think that the best course of action at the moment would be to call your Internet Service Provider and see if there's an issue or fault at their end which could be the result of this issue. We don't see any issues with your machine at the moment which is a positive. You should be able to situate their support number on their official website. Would you be willing to attempt this for me? :)
  • 0

#43
GUBID

GUBID

    Member

  • Member
  • PipPip
  • 29 posts
I'll ring them.
It will be later this week though okay.
  • 0

#44
GUBID

GUBID

    Member

  • Member
  • PipPip
  • 29 posts
Hello Teima,
Just ran AVG and the original "infection" has returned yet again.
The scan also picked up some other stuff:
I've included the output from that scan:
Whole Computer Scan
Medium priority;"12";"0";"12"
Folders selected for scanning:;"Scan Whole Computer"
Started:;"16/09/2013, 18:23:11"
Finished:;"16/09/2013, 18:49:58"
Total object scanned:;"2503427"
User who launched the scan:;"GUB"

Status;"Priority";"Name";"Description";"Result"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_SECURITY -> splb.sys +0x1204C";"C:\Windows\System32\Drivers\splb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_SHUTDOWN -> splb.sys +0x1204C";"C:\Windows\System32\Drivers\splb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_CLEANUP -> splb.sys +0x1204C";"C:\Windows\System32\Drivers\splb.sys";"Infected"
Infected;"Medium";"IRP hook, \Driver\volmgr IRP_MJ_CREATE -> splb.sys +0x12CD8";"C:\Windows\System32\Drivers\splb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_CREATE -> splb.sys +0x1204C";"C:\Windows\System32\Drivers\splb.sys";"Infected"
Infected;"Medium";"IRP hook, \Driver\volmgr IRP_MJ_READ -> splb.sys +0x12CD8";"C:\Windows\System32\Drivers\splb.sys";"Infected"
Infected;"Medium";"i8042prt.sys, hooked import HAL.dll READ_PORT_UCHAR -> splb.sys +0x11E9C";"C:\Windows\System32\Drivers\splb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_SECURITY -> splb.sys +0x1204C";"C:\Windows\System32\Drivers\splb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_SET_QUOTA -> splb.sys +0x1204C";"C:\Windows\System32\Drivers\splb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_QUERY_QUOTA -> splb.sys +0x1204C";"C:\Windows\System32\Drivers\splb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_PNP -> splb.sys +0x1204C";"C:\Windows\System32\Drivers\splb.sys";"Infected"
Infected;"Medium";"IRP hook, \FileSystem\Ntfs IRP_MJ_LOCK_CONTROL -> splb.sys +0x1204C";"C:\Windows\System32\Drivers\splb.sys";"Infected"

I also ran Malwarebytes which came back as negative and then ran Kaperskys tdsskiller which came back with a single infection which we have already looked at and decided it was a false positive(?). As you can see the "i8042prt" is back too!
  • 0

#45
Teima

Teima

    Geek in Training

  • GeekU Senior
  • 669 posts
Hello GUBID,

I have spoken with my instructor and we have come to the conclusion that we will look into these two files further. With that in mind I'll present my course of action below. :)

Step One

Ensuring that system files/folders are shown on the machine

1. Please click Start and open the Control Panel.

2. Within the Control Panel, click on view by "Small Icons" within the right hand panel. Once done click "Folder Options".

3. On the View tab, check "Show hidden files, folders, and drives".

4. Click "Apply".

5. Click OK and close My Computer.

Step Two

Uploading the files to the submission channel

1. Please navigate to these two files on the machine:

  • C:\Windows\System32\Drivers\splb.sys
  • C:\Windows\System32\drivers\i8042prt.sys
2. Once found. Please click here to situate the submission link.

3. Within the link to topic thread. Copy and paste this link: http://www.geekstogo...istant-rootkit/

4. In the additional comments section. Please include that this submission is for Dakeyras and Teima.

5. Navigate and upload both files listed above. Please let me know once that's complete so that the files can be looked into further mate.
  • 0

Advertisement




Similar Topics: Persistant Rootkit [Solved]     x


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured