Other > Viruses and worms
\Win 32: Alureon-Da[Rtk] Rootkit!
Jobber:
(Continued RootRepeal Driver Scan):
ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -
Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xB1EF0000 Size: 2944 File Visible: - Signed: -
Status: -
Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF9D5000 Size: 6057984 File Visible: - Signed: -
Status: -
Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xB8B09000 Size: 6132576 File Visible: - Signed: -
Status: -
Name: nvata.sys
Image Path: nvata.sys
Address: 0xBA718000 Size: 100736 File Visible: - Signed: -
Status: -
Name: nvatabus.sys
Image Path: nvatabus.sys
Address: 0xBA6E7000 Size: 100736 File Visible: - Signed: -
Status: -
Name: NVENETFD.sys
Image Path: C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
Address: 0xB25D1000 Size: 34176 File Visible: - Signed: -
Status: -
Name: nvnetbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
Address: 0xB9EFB000 Size: 13056 File Visible: - Signed: -
Status: -
Name: NVNRM.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\NVNRM.SYS
Address: 0xB8258000 Size: 307200 File Visible: - Signed: -
Status: -
Name: NVSNPU.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS
Address: 0xB8221000 Size: 225280 File Visible: - Signed: -
Status: -
Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xBA8B8000 Size: 61696 File Visible: - Signed: -
Status: -
Name: P17xfi.sys
Image Path: C:\WINDOWS\system32\drivers\P17xfi.sys
Address: 0xB881F000 Size: 1449984 File Visible: - Signed: -
Status: -
Name: p17xfilt.sys
Image Path: C:\WINDOWS\system32\drivers\p17xfilt.sys
Address: 0xB82CB000 Size: 1659008 File Visible: - Signed: -
Status: -
Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xB8AE1000 Size: 80128 File Visible: - Signed: -
Status: -
Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBAB30000 Size: 19712 File Visible: - Signed: -
Status: -
Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xBADBC000 Size: 6784 File Visible: - Signed: -
Status: -
Name: pci.sys
Image Path: pci.sys
Address: 0xBA768000 Size: 68224 File Visible: - Signed: -
Status: -
Name: pciide.sys
Image Path: pciide.sys
Address: 0xBAE70000 Size: 3328 File Visible: - Signed: -
Status: -
Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBAB28000 Size: 28672 File Visible: - Signed: -
Status: -
Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -
Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB87FB000 Size: 147456 File Visible: - Signed: -
Status: -
Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB81F9000 Size: 69120 File Visible: - Signed: -
Status: -
Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBAC68000 Size: 17792 File Visible: - Signed: -
Status: -
Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBA928000 Size: 36320 File Visible: - Signed: -
Status: -
Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xB26F3000 Size: 8832 File Visible: - Signed: -
Status: -
Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xB9173000 Size: 51328 File Visible: - Signed: -
Status: -
Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xB9163000 Size: 41472 File Visible: - Signed: -
Status: -
Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xB9153000 Size: 48384 File Visible: - Signed: -
Status: -
Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBAC70000 Size: 16512 File Visible: - Signed: -
Status: -
Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -
Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xA8122000 Size: 175744 File Visible: - Signed: -
Status: -
Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBAE52000 Size: 4224 File Visible: - Signed: -
Status: -
Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xBA1D8000 Size: 57600 File Visible: - Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA6079000 Size: 49152 File Visible: No Signed: -
Status: -
Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xA928E000 Size: 24576 File Visible: - Signed: -
Status: -
Name: SASENUM.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
Address: 0xB7B65000 Size: 20480 File Visible: - Signed: -
Status: -
Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xAD0CF000 Size: 151552 File Visible: - Signed: -
Status: -
Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Address: 0xBA700000 Size: 98304 File Visible: - Signed: -
Status: -
Name: secdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Address: 0xA6BA4000 Size: 40960 File Visible: - Signed: -
Status: -
Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xB9EEF000 Size: 15744 File Visible: - Signed: -
Status: -
Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xBA218000 Size: 64512 File Visible: - Signed: -
Status: -
Name: sfdrv01.sys
Image Path: sfdrv01.sys
Address: 0xBA5D3000 Size: 69632 File Visible: - Signed: -
Status: -
Name: sfhlp02.sys
Image Path: sfhlp02.sys
Address: 0xBAB40000 Size: 32768 File Visible: - Signed: -
Status: -
Name: sfsync02.sys
Image Path: sfsync02.sys
Address: 0xBAB38000 Size: 20544 File Visible: - Signed: -
Status: -
Name: sr.sys
Image Path: sr.sys
Address: 0xBA6B5000 Size: 73472 File Visible: - Signed: -
Status: -
Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xA6C5C000 Size: 333952 File Visible: - Signed: -
Status: -
Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBADF6000 Size: 4352 File Visible: - Signed: -
Status: -
Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xBAA58000 Size: 60800 File Visible: - Signed: -
Status: -
Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xAD13E000 Size: 361600 File Visible: - Signed: -
Status: -
Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBAC60000 Size: 20480 File Visible: - Signed: -
Status: -
Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xB9133000 Size: 40704 File Visible: - Signed: -
Status: -
Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB819B000 Size: 384768 File Visible: - Signed: -
Status: -
Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBADE6000 Size: 8192 File Visible: - Signed: -
Status: -
Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBAB88000 Size: 30208 File Visible: - Signed: -
Status: -
Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xB2591000 Size: 59520 File Visible: - Signed: -
Status: -
Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xBAB80000 Size: 17152 File Visible: - Signed: -
Status: -
Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB8ABD000 Size: 147456 File Visible: - Signed: -
Status: -
Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xB1EBB000 Size: 26368 File Visible: - Signed: -
Status: -
Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xB26AF000 Size: 20992 File Visible: - Signed: -
Status: -
Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB8AF5000 Size: 81920 File Visible: - Signed: -
Status: -
Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA8E8000 Size: 52352 File Visible: - Signed: -
Status: -
Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xA916D000 Size: 34560 File Visible: - Signed: -
Status: -
Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xA8DC8000 Size: 20480 File Visible: - Signed: -
Status: -
Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA7337000 Size: 83072 File Visible: - Signed: -
Status: -
Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -
Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -
Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xBADAA000 Size: 8192 File Visible: - Signed: -
Status: -
Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -
Now what should I do??
Do I need to do a Files Scan also??
mathboyx215:
Oops.Somehow,I gave you the wrong instruction in the first post. :o Please do the following
Open rootrepeal and go to the tab
Then click on the "scan" button.
In the select scan dialog,check the following:
Click on ok.
Check the box for the C drive and let rootrepeal scan.The scan may take some time.
After the scan is done,click on "save report" and post the log on the forum.
Jobber:
OK, I am having big trouble getting RootRepeal to run, and I am following the instructions in the above post.
I have RootRepeal in a folder in my Windows Documents section; that is where I run the program from.
I have RootRepeal version 1.3.5.0
Its icon is a blue colored magnifying glass.
There is a DAT File next to the magnifying glass.
OK, I click on the magnifying glass icon, and then a dialog box appear.
One says:
"Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog" with an option in same said dialog box that says "OK".
At the same time, there is another box which says "Initializing please wait."
Well, nothing really happens unless I try to close the dialog box with the message about the Disk Access Level.
This takes several attempts to close, and the dialog box does not close immediately if I either press "OK" or try to close the box with the computer Mouse.
However, if I try and close it several times with the Mouse, the dialog and initializing boxes soon disappear.
Then, the RootRepeal Screen appears.
I then go to Settings tab > Options; I have tried adjusting and running RootRepeal on the Low, Mid, and High Level Disk Access Levels.
Then I go to the Reports tab, and follow the instructions given in the above post.
Then, after following your instructions, the same thing happens each time.
A message in the RootRepeal box appears which says "Initializing, please wait . . . . " and I can see in the lower left hand corner the word "Scanning . . . ".
But nothing happens.
In fact, the computer screen freezes up; I noticed the time on my the bottom of the computer screen (where the START button bar runs across the screen) froze to the time I started the RootRepeal Scan.
So, even though I waited 20 minutes and it was 3:20PM, the time on my computer still said 3:00PM.
What am I doing wrong??
How can I get RootRepeal to work???
mathboyx215:
Try deleting the version of rootrepeal that you have and download it again
http://rootrepeal.psikotick.com/RootRepeal.zip
Jobber:
I actually had downloaded RootRepeal twice in two separate folders.
I deleted one, and dowloaded the new version at the link you provided, but forgot to reboot the system when I deleted the original. Realizing this, I think I then rebooted
Then I deleted and rebooted for the other; then I deleted and rebooted the new version from the link; then I downloaded RootRepeal again.
Unfortunately, the same thing is happening and I am still getting the exact same message and RootRepeal doesn't seem to want to work and the exact same thing is happening:
--- Quote ---OK, I click on the magnifying glass icon, and then a dialog box appear.
One says:
"Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog" with an option in same said dialog box that says "OK".
At the same time, there is another box which says "Initializing please wait."
Well, nothing really happens unless I try to close the dialog box with the message about the Disk Access Level.
This takes several attempts to close, and the dialog box does not close immediately if I either press "OK" or try to close the box with the computer Mouse.
However, if I try and close it several times with the Mouse, the dialog and initializing boxes soon disappear.
Then, the RootRepeal Screen appears.
I then go to Settings tab > Options; I have tried adjusting and running RootRepeal on the Low, Mid, and High Level Disk Access Levels.
Then I go to the Reports tab, and follow the instructions given in the above post.
Then, after following your instructions, the same thing happens each time.
A message in the RootRepeal box appears which says "Initializing, please wait . . . . " and I can see in the lower left hand corner the word "Scanning . . . ".
But nothing happens.
In fact, the computer screen freezes up.
--- End quote ---
I don't know why RootRepeal doesn't work; I have also tried running RootRepeal in Safety Mode, and the exact same thing happens.
Is perhaps Avast! 4.8 not allowing it to run?? Does Avast! 4.8 run a firewall that blocks programs like RootRepeal from working???
The RootRepeal program seems like a very basic type of computer program.
Should I have RootRepeal's Disk Access Level set at a certain level??
I always get the "Could not read boot sector etc." diaalog box whenever double click on the RootRepeal icon and try to get it started.
I have Windows Home Edition XP.
The only anti-virus programs I currently have are Avast! 4.8, SuperAnti-Spyware Free Edition, and Malwarebytes' Anti-Malware.
Besides RootRepeal, are there any other anti-rootkit programs I could try to running???
How bad is having this Rootkit on one's computer??
Should I no longer work on this computer?? I have been still using the computer but not a lot.
It seems to run fine, and there isn't a whole lot of spyware websites popping up.
But obviously I want to get rid of the rootkit.
Also, this is the message I know receive from Avast! 4.8 when I click on the Avast! blue ball icon on my computer's Start Screen.
It is slightly different from the message a few days ago in the OP:
Malware Was Found
File Name: c:\windows\temp\gaskyuwapntsetf.tmp
Malware Name: Win32: Alureon-DA[Rtk}
Malware Type: Rootkit
VPS Version: 091006-0, 10/06/2009
I cannot move the Rootkit to chest.
When I close up Avast!, I an Avast! box appears with this message:
"avast! has detected a virus in the operating memory. Since it is very dangerous to work with the computer while the virus is active", Avast! recommends a BootScan.
I have run the BootScan before, and that doesn't detect the Rootkit and takes a lot of time, so I didn't run the BootScan again.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version