Tech Support Forum banner
Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter · #1 ·
Okay here goes.
I've been haveing a really annoying rootkit problem. My AVG 8.0 detected a rootkit, which it couldn't remove. I then did some search of what a rootkit is and how to remove it. I came to the conclusion to reinstall my Windows Vista.

Then i ran a scan again with AVG and found a rootkit again. Then i formated my external hard disk, because i read a rootkit could spread its infection, I do not know if that is true.

Now i reinstalled Windows Vista again. Now I don't have any anti-virus/trojan/spyware program. Only got the Windows Deffender. The only thing I have done is downloaded and installed Adobe Reader 9.2 and all the updates from Microsoft.

I am completely new on this forum and I have never tryed anything like this. So please let me know if I missed anything. I have followed the guide "New Instructions" and believe i have followed every step.

I want to make sure the rootkit is completely gone and would like assist and help to prevent it from happening again, like which anti-virus I should use and so on. I hope I haven't missed anything. And yeah my english isn't the best.

Best regrads
Anders
______
The DDS text:

DDS (Ver_09-12-01.01) - NTFSX64
Run by Anders at 13:13:04,59 on 11-12-2009
Internet Explorer: 8.0.6001.18865
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.45.1030.18.8190.6646 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Marvell\61xx\svc\mvraidsvc.exe
C:\Program Files (x86)\Marvell\61xx\Apache2\bin\Apache.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Marvell\61xx\Apache2\bin\Apache.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RAVCpl64.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Marvell\61xx\tray\zRaidTray.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Anders\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q230NDPD\dds[1].scr

============== Pseudo HJT Report ===============

mLocal Page = c:\windows\syswow64\blank.htm
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files (x86)\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
StartupFolder: c:\users\anders\appdata\roaming\micros~1\windows\startm~1\programs\startup\marvel~1.lnk - c:\program files (x86)\marvell\61xx\tray\RaidTray.bat
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [RtHDVCpl] RAVCpl64.exe
mRun-x64: [Skytel] Skytel.exe

============= SERVICES / DRIVERS ===============

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2007-6-15 163736]
R2 Marvell RAID;Marvell RAID Event Agent;c:\program files (x86)\marvell\61xx\svc\mvraidsvc.exe [2007-6-12 61440]
R2 MRUWebService;MRU Web Service;c:\program files (x86)\marvell\61xx\apache2\bin\Apache.exe [2007-5-23 20539]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l160x64.sys [2009-12-10 56832]
R3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-12-11 89920]
S3 PerfHost;Vært for DLL-ydelsestæller;c:\windows\syswow64\perfhost.exe [2008-1-21 19968]

============== File Associations ===============

JSEFile=c:\windows\syswow64\WScript.exe "%1" %*

=============== Created Last 30 ================

2009-12-11 12:02:18 0 d-----w- c:\programdata\Adobe
2009-12-11 12:00:35 0 d-----w- c:\programdata\NOS
2009-12-11 11:53:03 0 d-----w- c:\windows\syswow64\vi-VN
2009-12-11 11:53:03 0 d-----w- c:\windows\syswow64\eu-ES
2009-12-11 11:53:03 0 d-----w- c:\windows\syswow64\ca-ES
2009-12-11 11:53:03 0 d-----w- c:\windows\system32\vi-VN
2009-12-11 11:53:03 0 d-----w- c:\windows\system32\eu-ES
2009-12-11 11:53:03 0 d-----w- c:\windows\system32\ca-ES
2009-12-11 11:29:59 1480704 ----a-w- c:\windows\syswow64\mssrch.dll
2009-12-11 11:28:59 247808 ----a-w- c:\windows\syswow64\drvstore.dll
2009-12-11 11:28:48 936448 ----a-w- c:\windows\system32\SmiEngine.dll
2009-12-11 11:28:48 891392 ----a-w- c:\windows\system32\wbem\fastprox.dll
2009-12-11 11:28:48 43520 ----a-w- c:\windows\system32\wbem\wbemprox.dll
2009-12-11 11:28:48 1172992 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2009-12-11 11:28:47 293888 ----a-w- c:\windows\system32\wdscore.dll
2009-12-11 11:28:47 138752 ----a-w- c:\windows\system32\PkgMgr.exe
2009-12-11 11:28:45 315904 ----a-w- c:\windows\system32\drvstore.dll
2009-12-10 23:56:57 226688 ------w- c:\windows\system32\MpSigStub.exe
2009-12-10 23:56:04 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-12-10 23:53:45 442368 ----a-w- c:\windows\system32\winhttp.dll
2009-12-10 23:53:45 377344 ----a-w- c:\windows\syswow64\winhttp.dll
2009-12-10 23:53:28 726528 ----a-w- c:\windows\syswow64\jscript.dll
2009-12-10 23:31:11 32768 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-10 23:31:11 24064 ----a-w- c:\windows\syswow64\nshhttp.dll
2009-12-10 23:31:10 620032 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-10 23:31:10 33792 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 23:31:10 30720 ----a-w- c:\windows\syswow64\httpapi.dll
2009-12-10 23:30:51 656896 ----a-w- c:\windows\system32\kerberos.dll
2009-12-10 23:30:51 499712 ----a-w- c:\windows\syswow64\kerberos.dll
2009-12-10 23:30:51 338432 ----a-w- c:\windows\system32\schannel.dll
2009-12-10 23:30:51 270848 ----a-w- c:\windows\syswow64\schannel.dll
2009-12-10 23:26:18 34990 ----a-w- c:\programdata\nvModes.dat
2009-12-10 23:13:52 2048 ----a-w- c:\windows\syswow64\tzres.dll
2009-12-10 23:13:52 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-10 23:07:40 18904 ----a-w- c:\windows\syswow64\StructuredQuerySchemaTrivial.bin
2009-12-10 23:07:40 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2009-12-10 23:07:39 11967524 ----a-w- c:\windows\syswow64\korwbrkr.lex
2009-12-10 23:07:39 11967524 ----a-w- c:\windows\system32\korwbrkr.lex
2009-12-10 22:47:52 0 d-sh--w- c:\windows\Installer
2009-12-10 22:41:26 41984 ----a-w- c:\windows\syswow64\netfxperf.dll
2009-12-10 22:41:26 13824 ----a-w- c:\windows\system32\netfxperf.dll
2009-12-10 22:35:47 88064 ----a-w- c:\windows\system32\admparse.dll
2009-12-10 22:25:24 32256 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-12-10 22:24:52 4698168 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-10 22:23:57 368128 ----a-w- c:\windows\system32\wmpdxm.dll
2009-12-10 22:23:57 313344 ----a-w- c:\windows\syswow64\wmpdxm.dll
2009-12-10 22:23:56 43520 ----a-w- c:\windows\syswow64\msdxm.tlb
2009-12-10 22:23:56 43520 ----a-w- c:\windows\system32\msdxm.tlb
2009-12-10 22:23:56 18432 ----a-w- c:\windows\syswow64\amcompat.tlb
2009-12-10 22:23:56 18432 ----a-w- c:\windows\system32\amcompat.tlb
2009-12-10 22:03:49 108 ----a-w- c:\windows\za_mv_raid.ev
2009-12-10 22:03:48 9 ----a-w- c:\windows\mvraidver.dat
2009-12-10 22:03:46 162 ----a-w- c:\windows\syswow64\61xx.xml
2009-12-10 21:55:58 0 d-----w- c:\program files (x86)\Marvell
2009-12-10 21:54:19 0 d-----w- c:\windows\syswow64\RTCOM
2009-12-10 21:53:44 0 d-----w- c:\program files (x86)\Realtek
2009-12-10 21:51:13 0 d-----w- c:\windows\ASUSInstAll
2009-12-10 21:45:19 0 d-----w- C:\Intel
2009-12-10 21:45:07 15231 ----a-w- c:\windows\Ascd_log.ini
2009-12-10 21:44:56 15680 ----a-w- c:\windows\system32\drivers\ASACPI.sys
2009-12-10 21:44:55 14915 ----a-w- c:\windows\Ascd_tmp.ini
2009-12-10 21:43:25 0 d-----w- c:\programdata\NVIDIA
2009-12-10 21:41:17 388640 ----a-w- c:\windows\system32\nvexpbar.dll
2009-12-10 21:41:17 1071136 ----a-w- c:\windows\system32\nvcpluir.dll
2009-12-10 21:39:56 541800 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-12-10 21:35:26 0 d-sh--we C:\Programmer
2009-12-10 21:35:26 0 d-sh--we c:\programdata\Skrivebord
2009-12-10 21:35:26 0 d-sh--we c:\programdata\Skabeloner
2009-12-10 21:35:26 0 d-sh--we c:\programdata\Menuen Start
2009-12-10 21:35:26 0 d-sh--we c:\programdata\Favoritter
2009-12-10 21:35:26 0 d-sh--we c:\programdata\Dokumenter
2009-12-10 21:35:26 0 d-sh--we c:\program files\Fælles filer
2009-12-10 21:27:56 0 d-----w- c:\windows\Panther
2009-12-10 21:27:44 8192 --s-a-r- C:\BOOTSECT.BAK
2009-12-10 21:27:43 333257 --sha-r- C:\bootmgr
2009-12-10 21:27:43 0 d-sh--w- C:\Boot

==================== Find3M ====================

2009-12-11 12:02:36 76996 ----a-w- c:\windows\system32\perfc006.dat
2009-12-11 12:02:36 463106 ----a-w- c:\windows\system32\perfh006.dat
2009-12-11 11:57:12 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-12-11 11:57:12 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-11 11:57:12 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-11 11:53:01 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-11 11:34:11 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-12-10 21:54:00 525792 ----a-w- c:\windows\DIFxAPI.dll
2009-12-10 21:53:40 315392 ----a-w- c:\windows\HideWin.exe
2009-11-21 06:52:02 1147904 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:46:36 77312 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:46:36 132096 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 06:40:20 916480 ----a-w- c:\windows\syswow64\wininet.dll
2009-11-21 06:40:03 1208832 ----a-w- c:\windows\syswow64\urlmon.dll
2009-11-21 06:38:17 206848 ----a-w- c:\windows\syswow64\occache.dll
2009-11-21 06:35:43 5940736 ----a-w- c:\windows\syswow64\mshtml.dll
2009-11-21 06:35:38 594432 ----a-w- c:\windows\syswow64\msfeeds.dll
2009-11-21 06:35:38 55296 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2009-11-21 06:34:58 25600 ----a-w- c:\windows\syswow64\jsproxy.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\syswow64\iesetup.dll
2009-11-21 06:34:39 1985536 ----a-w- c:\windows\syswow64\iertutil.dll
2009-11-21 06:34:39 164352 ----a-w- c:\windows\syswow64\ieui.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\syswow64\iesysprep.dll
2009-11-21 06:34:38 55808 ----a-w- c:\windows\syswow64\iernonce.dll
2009-11-21 06:34:38 184320 ----a-w- c:\windows\syswow64\iepeers.dll
2009-11-21 06:34:38 11069952 ----a-w- c:\windows\syswow64\ieframe.dll
2009-11-21 06:34:33 387584 ----a-w- c:\windows\syswow64\iedkcs32.dll
2009-11-21 05:07:24 162816 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-21 04:59:58 133632 ----a-w- c:\windows\syswow64\ieUnatt.exe
2009-11-21 04:59:52 173056 ----a-w- c:\windows\syswow64\ie4uinit.exe
2009-11-21 04:59:14 13312 ----a-w- c:\windows\syswow64\msfeedssync.exe
2009-10-07 12:20:17 280576 ----a-w- c:\windows\system32\rastls.dll
2009-10-07 11:36:36 243712 ----a-w- c:\windows\syswow64\rastls.dll
2009-09-27 17:24:22 3778664 ----a-w- c:\windows\system32\nvcplui.exe
2009-09-27 17:23:00 4546152 ----a-w- c:\windows\system32\nvvitvs.dll
2009-09-27 17:23:00 3746920 ----a-w- c:\windows\system32\nvwss.dll
2009-09-27 17:23:00 289896 ----a-w- c:\windows\system32\nvmccss.dll
2009-09-27 17:23:00 1647720 ----a-w- c:\windows\system32\nvmobls.dll
2009-09-27 17:23:00 1646696 ----a-w- c:\windows\system32\nvsvs.dll
2009-09-27 17:22:00 991848 ----a-w- c:\windows\system32\nvsvc64.dll
2009-09-27 17:22:00 82536 ----a-w- c:\windows\system32\nvmctray.dll
2009-09-27 17:22:00 5426792 ----a-w- c:\windows\system32\nvdisps.dll
2009-09-27 17:22:00 5208168 ----a-w- c:\windows\system32\nvgames.dll
2009-09-27 17:22:00 383592 ----a-w- c:\windows\system32\nvvsvc.exe
2009-09-27 17:22:00 244840 ----a-w- c:\windows\system32\nvshext.dll
2009-09-27 17:22:00 16666728 ----a-w- c:\windows\system32\nvcpl.dll
2008-01-21 10:21:16 36364 ----a-w- c:\windows\inf\perflib\0406\perfd.dat
2008-01-21 10:21:16 36364 ----a-w- c:\windows\inf\perflib\0406\perfc.dat
2008-01-21 10:21:15 300302 ----a-w- c:\windows\inf\perflib\0406\perfi.dat
2008-01-21 10:21:15 300302 ----a-w- c:\windows\inf\perflib\0406\perfh.dat
2008-01-21 03:21:59 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:59 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 13:13:11,94 ===============
 

Attachments

·
TSF-Emeritus
Joined
·
8,968 Posts
Hi,

Please do the following:

Download OTSto your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Check the box that says 64 bit
  • Under Additional Scans check the following:
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top