Help…!!!
my pc’s infected by a rootkit… Avast detects it during memory scan but is unable to delete it coz it is being used by another process
Safe mode scan does not help and Scheduled Boot time isnt able to delete it either (i even tried “allow moving of system files”)

c:\windows\temp\gasfkynorcrprxtd.tmp & c:\windows\system32\gasfkynorcrprxtd.dll
Malware name :Win32:Alureon-CY [Rtk]
Malware type : Rootkit

strangely, i cannot find the mentioned files either in the Temp or System32 folder ???
i use Win XP Pro SP2
Avast Home 4.8
VPS : 090916-0, 09/16/2009

Service Pack 3 is already available.

I suggest MBAM and RootRepeal. Post MBAM and RootRepeal logs in each post.

If you have XP, vista or Win2k (all 32bit), you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.

• Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.

They may well be hidden by rootkit, so the tools suggested by Jtaylor83 should help.

ROOTREPEAL (c) AD, 2007-2009

Scan Start Time: 2009/09/17 13:01
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2

Drivers

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF4CF0000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8AA0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF1866000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files

Path: Volume C:
Status: MBR Rootkit Detected!

Path: Volume C:, Sector 1
Status: Sector mismatch

Path: Volume C:, Sector 4
Status: Sector mismatch

Path: Volume C:, Sector 5
Status: Sector mismatch

Path: Volume C:, Sector 6
Status: Sector mismatch

Path: Volume C:, Sector 7
Status: Sector mismatch

Path: Volume C:, Sector 9
Status: Sector mismatch

Path: Volume C:, Sector 10
Status: Sector mismatch

Path: Volume C:, Sector 11
Status: Sector mismatch

Path: Volume C:, Sector 12
Status: Sector mismatch

Path: Volume C:, Sector 14
Status: Sector mismatch

Path: Volume C:, Sector 15
Status: Sector mismatch

Path: Volume C:, Sector 18
Status: Sector mismatch

Path: Volume C:, Sector 19
Status: Sector mismatch

Path: Volume C:, Sector 20
Status: Sector mismatch

Path: Volume C:, Sector 21
Status: Sector mismatch

Path: Volume C:, Sector 24
Status: Sector mismatch

Path: Volume C:, Sector 25
Status: Sector mismatch

Path: Volume C:, Sector 26
Status: Sector mismatch

Path: Volume C:, Sector 29
Status: Sector mismatch

Path: Volume C:, Sector 30
Status: Sector mismatch

Path: Volume C:, Sector 31
Status: Sector mismatch

Path: Volume C:, Sector 34
Status: Sector mismatch

Path: Volume C:, Sector 36
Status: Sector mismatch

Path: Volume C:, Sector 37
Status: Sector mismatch

Path: Volume C:, Sector 38
Status: Sector mismatch

Path: Volume C:, Sector 39
Status: Sector mismatch

Path: Volume C:, Sector 41
Status: Sector mismatch

Path: Volume C:, Sector 42
Status: Sector mismatch

Path: Volume C:, Sector 43
Status: Sector mismatch

Path: Volume C:, Sector 44
Status: Sector mismatch

Path: Volume C:, Sector 47
Status: Sector mismatch

Path: Volume C:, Sector 48
Status: Sector mismatch

Path: Volume C:, Sector 49
Status: Sector mismatch

Path: Volume C:, Sector 51
Status: Sector mismatch

Path: Volume C:, Sector 53
Status: Sector mismatch

Path: Volume C:, Sector 54
Status: Sector mismatch

Path: Volume C:, Sector 55
Status: Sector mismatch

Path: Volume C:, Sector 56
Status: Sector mismatch

Path: Volume C:, Sector 57
Status: Sector mismatch

Path: Volume C:, Sector 59
Status: Sector mismatch

Path: Volume C:, Sector 62
Status: Sector mismatch

Path: Volume D:
Status: MBR Rootkit Detected!

Path: Volume D:, Sector 1
Status: Sector mismatch

Path: Volume D:, Sector 2
Status: Sector mismatch

Path: Volume D:, Sector 6
Status: Sector mismatch

Path: Volume D:, Sector 15
Status: Sector mismatch

Path: Volume D:, Sector 16
Status: Sector mismatch

Path: Volume D:, Sector 17
Status: Sector mismatch

Path: Volume D:, Sector 18
Status: Sector mismatch

Path: Volume D:, Sector 20
Status: Sector mismatch

Path: Volume D:, Sector 24
Status: Sector mismatch

Path: Volume D:, Sector 30
Status: Sector mismatch

Path: Volume D:, Sector 33
Status: Sector mismatch

Path: Volume D:, Sector 34
Status: Sector mismatch

Path: Volume D:, Sector 35
Status: Sector mismatch

Path: Volume D:, Sector 36
Status: Sector mismatch

Path: Volume D:, Sector 37
Status: Sector mismatch

Path: Volume D:, Sector 38
Status: Sector mismatch

Path: Volume D:, Sector 39
Status: Sector mismatch

Path: Volume D:, Sector 40
Status: Sector mismatch

Path: Volume D:, Sector 41
Status: Sector mismatch

Path: Volume D:, Sector 42
Status: Sector mismatch

Path: Volume D:, Sector 46
Status: Sector mismatch

Path: Volume D:, Sector 48
Status: Sector mismatch

Path: Volume D:, Sector 49
Status: Sector mismatch

Path: Volume D:, Sector 53
Status: Sector mismatch

Path: Volume D:, Sector 54
Status: Sector mismatch

Path: Volume D:, Sector 55
Status: Sector mismatch

Path: Volume D:, Sector 56
Status: Sector mismatch

Path: Volume D:, Sector 57
Status: Sector mismatch

Path: Volume D:, Sector 58
Status: Sector mismatch

Path: Volume D:, Sector 60
Status: Sector mismatch

Path: Volume D:, Sector 61
Status: Sector mismatch

Path: Volume E:
Status: MBR Rootkit Detected!

Path: Volume E:, Sector 1
Status: Sector mismatch

Path: Volume E:, Sector 4
Status: Sector mismatch

Path: Volume E:, Sector 8
Status: Sector mismatch

Path: Volume E:, Sector 9
Status: Sector mismatch

Path: Volume E:, Sector 10
Status: Sector mismatch

Path: Volume E:, Sector 14
Status: Sector mismatch

Path: Volume E:, Sector 15
Status: Sector mismatch

Path: Volume E:, Sector 16
Status: Sector mismatch

Path: Volume E:, Sector 17
Status: Sector mismatch

Path: Volume E:, Sector 19
Status: Sector mismatch

Path: Volume E:, Sector 22
Status: Sector mismatch

Path: Volume E:, Sector 23
Status: Sector mismatch

Path: Volume E:, Sector 24
Status: Sector mismatch

Path: Volume E:, Sector 25
Status: Sector mismatch

Path: Volume E:, Sector 26
Status: Sector mismatch

Path: Volume E:, Sector 27
Status: Sector mismatch

Path: Volume E:, Sector 28
Status: Sector mismatch

Path: Volume E:, Sector 32
Status: Sector mismatch

Path: Volume E:, Sector 33
Status: Sector mismatch

Path: Volume E:, Sector 34
Status: Sector mismatch

Path: Volume E:, Sector 35
Status: Sector mismatch

Path: Volume E:, Sector 37
Status: Sector mismatch

Path: Volume E:, Sector 38
Status: Sector mismatch

Path: Volume E:, Sector 40
Status: Sector mismatch

Path: Volume E:, Sector 41
Status: Sector mismatch

Path: Volume E:, Sector 42
Status: Sector mismatch

Path: Volume E:, Sector 43
Status: Sector mismatch

Path: Volume E:, Sector 44
Status: Sector mismatch

Path: Volume E:, Sector 45
Status: Sector mismatch

Path: Volume E:, Sector 46
Status: Sector mismatch

Path: Volume E:, Sector 47
Status: Sector mismatch

Path: Volume E:, Sector 48
Status: Sector mismatch

Path: Volume E:, Sector 49
Status: Sector mismatch

Path: Volume E:, Sector 50
Status: Sector mismatch

Path: Volume E:, Sector 54
Status: Sector mismatch

Path: Volume E:, Sector 56
Status: Sector mismatch

Path: Volume E:, Sector 57
Status: Sector mismatch

Path: Volume E:, Sector 61
Status: Sector mismatch

Path: Volume E:, Sector 62
Status: Sector mismatch

Path: Volume F:
Status: MBR Rootkit Detected!

Stealth Objects

Object: Hidden Module [Name: gasfkytexrepxm.dll]
Process: svchost.exe (PID: 932) Address: 0x10000000 Size: 53248

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82237680 Size: 2435

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x821693e0 Size: 10

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x822374b0 Size: 37

Object: Hidden Code [Driver: axwhisky, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8212fa70 Size: 1424

==EOF==

Well RootRepeal basically confirms avast’s detection, so I would run RootRepeal again and select the Files Tab & Stealth Objects tab and click Scan. Once you have done that find the entry for gasfkytexrepxm.dll file, and or the Object: Hidden Module [Name: gasfkytexrepxm.dll], right click on the entry for it and select Wipe File option.

I’m not to familiar with RootRepeal so see, http://www.malwarebytes.org/forums/index.php?showtopic=12709 for general information on running it. Also see, http://forum.avast.com/index.php?topic=47511.msg401133#msg401133.

You should also update your OS as SP3 has been out for over a year so your system is more likely to exploit.

I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

i tried scanning via RootRepeal but it shows COULD NOT READ THE BOOT SECTOR. TRY ADJUSTING THE DISK ACCESS LEVEL IN THE OPTIONS DIALOG in the Files tab even though i’ve set it to High Level…
and in stealth objects i can see the following entry
[b]Stealth Objects

Object: Hidden Module [Name: gasfkytexrepxm.dll]
Process: svchost.exe (PID: 956) Address: 0x10000000 Size: 53248[/b]

but cannot WIPE or force delete it… as it gives an invalid path error

Try SAS as I believe that also detects this file - SUPERantispyware On-Demand only in free version.

However one of the Alwil virus labs says this Win32:Alureon-CY [Rtk] can be very difficult to remove once established.

Rootrepeal is not showing the file that needs deleting.It shows there is a rootkit, which will be a sys file

Hidden/Locked Files

Path: Volume C:
Status: MBR Rootkit Detected!

But it does not show the path. As well as trying SAS, try altering the settings in R.R
According to there web page Q&A, they say if you suspect you have a mbr rootkit set the level to the lowest level http://rootrepeal.googlepages.com/

I believe these are the default settings anyway, so you could be out of luck.

The disk access level can be moved up as the default is Middle Level, and the Enable advanced options isn’t checked by default. So there may be some hope.

[b]did i mention that the following site is opened whenever i start Mozilla Firefox
http://www( dot )thenewspedia( dot )com/index.php/components/

btw, i think malware bytes has deleted the rootkit… avast isnt detecting it anymore in the memory scan…

but the above mentioned site still opens >:(

[/b]

see this first

[size=10pt][size=10pt][size=10pt]if[/size][/size][/size] all the rootkit thing is gone… then,

reset mozilla to default settings, do this (see the Firefox Safe Mode subtopic)

then fix hosts file if it is infected. run this tool, it’ll fix it automatically, if the hosts file is infected.

update all the anti-malware, anti-virus apps you have (use mbam and avast!).

disconnect from internet. do avast boot time, mbam full scan(post log if anything was found).- you can skip this if you are sure your computer is free of malware.

read about opendns. if you want, you can use it.

get ccleaner from here, see this for setting the best config, run it.

get secunia from here run in simple mode and see what programs are vulnerable, fix them.

get spywareblaster from here update it and immunize your browsers.

turn off and on system restore :

Turn OFF System Restore.

* On the Desktop, right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* Check Turn off System Restore.
* Click Apply, and then click OK.

Restart your computer.

Turn ON System Restore.

* On the Desktop, right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* UN-Check Turn off System Restore.
* Click Apply, and then click OK.

System Restore will now be active again.

nmb

Well that link doesn’t look malicious, in fact it is incomplete as it gives a blank page as the link would normally be hXXp://wXw.thenewspedia.com/index.php/components/computers-and-the-internet. Does that ring any bells, have you ever visitied that page or site ?

What is the firefox home page set to ?

If MBAM has removed what avast was finding, what is rootrepeal now showing ?

i have www(dot)orkut(dot)com as my home page
the sites i mentioned are
http://www(dot)thenewspedia(dot)com/index.php/components/education
http://www(dot)thenewspedia(dot)com/index.php/components/jobs
http://www(dot)thenewspedia(dot)com/index.php/components/marketing
http://www(dot)thenewspedia(dot)com/index.php/components/family
http://www(dot)thenewspedia(dot)com/index.php/components/humor
http://www(dot)thenewspedia(dot)com/index.php/components/auto-and-trucks
http://www(dot)thenewspedia(dot)com/index.php/components/travel-and-leisure
etc
and there’s this site which opened just once
http://www(dot)mainstories(dot)com/index.php/travel-and-leisure

Rootrepeal does not show that rootkit now… but the following entries seem 2b hooked…

ROOTREPEAL (c) AD, 2007-2009

Scan Start Time: 2009/09/20 10:14
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2

SSDT
#: 268 Function Name: NtVdmControl
Status: Hooked by “C:\WINDOWS\system32\ntoskrnl.exe” at address 0xedf846b8

#: 252 Function Name: NtStopProfile
Status: Hooked by “C:\WINDOWS\system32\ntoskrnl.exe” at address 0xedf84574

#: 227 Function Name: NtSetInformationObject
Status: Hooked by “C:\WINDOWS\system32\ntoskrnl.exe” at address 0xedf84a52

#: 224 Function Name: NtSetInformationFile
Status: Hooked by “C:\WINDOWS\system32\ntoskrnl.exe” at address 0xedf8414c

#: 171 Function Name: NtQuerySystemEnvironmentValue
Status: Hooked by “C:\WINDOWS\system32\ntoskrnl.exe” at address 0xedf8464e

#: 168 Function Name: NtQuerySecurityObject
Status: Hooked by “C:\WINDOWS\system32\ntoskrnl.exe” at address 0xedf8408c

#: 162 Function Name: NtQueryMutant
Status: Hooked by “C:\WINDOWS\system32\ntoskrnl.exe” at address 0xedf840f0

#: 110 Function Name: NtNotifyChangeDirectoryFile
Status: Hooked by “C:\WINDOWS\system32\ntoskrnl.exe” at address 0xedf8476e

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by “C:\WINDOWS\system32\ntoskrnl.exe” at address 0xedf8472e

#: 037 Function Name: NtCreateFile
Status: Hooked by “C:\WINDOWS\system32\ntoskrnl.exe” at address 0xedf848ae

Will it b safe to delete “C:\WINDOWS\system32\ntoskrnl.exe” … or is it a system file ??

It’s a system file.

As for your last post, I need you to download HiJackThis and post a log here.

here u go…

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:36 AM, on 09/20/09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Avast Antivirus\aswUpdSv.exe
D:\Avast Antivirus\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\Avast Antivirus\ashMaiSv.exe
D:\Avast Antivirus\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
D:\AVASTA~1\ashDisp.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\Resources\Themes\Vista_Anthracite\VistaStart\VistaStart1.3.exe
C:\Program Files\Sify Broadband\BBClient.exe
D:\Internet Download Manager\IDMan.exe
D:\Internet Download Manager\IEMonitor.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
D:\Mozilla Firefox\firefox.exe
D:\Winamp\winamp.exe
D:\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sify.com
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [avast!] D:\AVASTA~1\ashDisp.exe
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM..\Run: [VistaStart1.3] C:\WINDOWS\Resources\Themes\Vista_Anthracite\VistaStart\VistaStart1.3.exe
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] “D:\Malwarebytes’ Anti-Malware\mbam.exe” /runcleanupscript
O4 - HKCU..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU..\Run: [Broadband] C:\Program Files\Sify Broadband\BBClient.exe
O4 - HKCU..\Run: [IDMan] D:\Internet Download Manager\IDMan.exe /onboot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download all links with IDM - D:\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip..{B157D0D1-4CA7-4AA4-8DAF-6496243DE920}: NameServer = 202.144.115.4,202.144.66.6
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Avast Antivirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Avast Antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Avast Antivirus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Avast Antivirus\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

–
End of file - 3850 bytes

Your system is well out of date as I said before and as such leaves you more vulnerable to attack, so you need to bring it up to date as a matter of urgency.

I don’t see anything obvious that would be causing the opening of the pages you listed.

Thnx 2 everyone who helped…

I think that rootkit has been deleted at last…
but my system has become too slow over the last few days… especially the boot time…
i even uninstalled all the programs that were used to get rid of the rootkit… including MBAM, RootRepeal, Hijack this, CCleaner, Secunia, Etc

is there anything that wud suggest that my system is out of date excluding SP2…
IE may be out of date but i don’t use it anyway

THNX AGAIN

oh n btw, the C:\WINDOWS\system32\ntoskrnl.exe still hooks many of the processes as mentioned earlier… how do i clean that??

Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Your system is well out of date viper. Your need to be up to date with Microsoft if you want to keep running Windows. To do otherwise you need to be expert with Microsoft platforms.

Problem is you do run Windows. Once up to date, you can make steady progress detect, identify, remove and protect against malware. But otherwise, it is all a bit of a lottery, you won’t know for sure how well you doing.