\Win 32: Alureon-Da[Rtk] Rootkit!

I started having trouble with the “Total Security” virus / Malware on 9/30/09.

I have a rootkit: \Win 32: Alureon-Da[Rtk] Rootkit.

On 9/30/09 I got the Total Security virus / Malware, with a Sea Blue Start Up Screen and message in Red.

I clicked on the Avast! 4.8 icon on my Start Up Screen; I got the siren, it says Malware found, but I cannot “move to chest”.

I then got this message:

Avast!

9/30/09

c:\windows\temp\dwolexvxmr.tmp

Parameter

X (i.e., box with check mark) Rename File(s) [adds the "vir extension)

X Move files

(Empty box) Force moving locked or used file(s) on system startup

Folders to move the file to:

C\Program Files Alwil Software\Avast4\DATA\Moved

Message:

The process cannot access the file because it is being used by another process.

Cannot process “c\windows\temp\gasfkydwolexvxmr.tmp” file.

So, instead, I close the warning, and proceeded to do a BootScan with Avast! 4.8; sorry, I don’t have the results of this.

I remember with the Avast! Bootscreen I moved something to chest with that, and that was the only result.

I went to my Start Screen, same damn Total Security Sea Blue Screen and Red message.

So, immediately after this on 9/30/09, I went into Windows Home Edition XP Safe Mode and used SuperAntiSpyware:

9/30/09

SuperAntiSpyware Scan

-9/30/09-16-23-olnotepad

File Threats detected: 6
Registry Items detected: 1

Total: 7

Adware.Tracking cookie [5 items]
Rogue.Agent/Gen [2 items]

Generated 09/30/09 at 4:23pm
Application version 4.29.1002

Core Rules Database Version:3937
Trace Rules Database version: 2055

Scantype: Complete Scan
Total Scan Time: 01:26:47

Memory Items scanned: 225
Memory Threats detected: 0

Registry Items scanned: 5496
Registry Items detected: 1

File Items scanned: 38625

File Threats detected: 6

Rogue Agent /Gen HKLM\ SOFTWARE\MICROSOFT\WINDOWS\CURRENT VERSION\RUN# 11159214
C:\Documents and Settings\All Users\Application Data\11159214

Adware. Tracking Cookie

C:\Documents and Settings\ OZ\Cookies\Oz@atdmt[1].txt
C:\Documents and Settings\ OZ\Cookies\Oz@doubleclick[1].txt
C:\Documents and Settings\ OZ\Cookies\Oz@msnportal.112.2O7[1].txt
C:\Documents and Settings\user@ad.yield manager[2].txt
C:\Documents and Settings\user@revsci[1].txt

All removed and deleted; this got rid of the “Total Security” Blue Screen and Red message; the compouter basically works find as far as surfing the internet is concerned.

The next day, on 10/1/09 I used Malawarebytes.

MALAWARE Bytes’ Anti-Malware

10/1/09 2:16:45 PM
mbam-log-2009-10-01 (14-16-45).txt
2 hours 4 min 3 seconds
Full Scan: ACDEFGHI

Scan Type: Full Scan
Objects Scanned: 277807

Scan Results:

Vendor Category Items Other
Hijack.Shell Registry Data HKEY-Local-MACHINE\SOFTWARE\Micro Bad: Explorer.ex…

Action Taken
No action taken

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Win logon\SHELL(Hijack.Shell)

(arrow) Bad: (Explorer.exe rund 1132.

Removed and deleted.

On 10/02/09, I tried using Avast! 4.8 Scanner Screen icon and got the siren and this message:

AVAST! 4.8

10/02/09

Memory is infected!

MALWARE WAS FOUND

File name: C:\Windows\System32\gasfkyalktqfuk.dll

Malware Name: \Win 32: Alureon-DA[Rtk]
MALWARE TYPE: Rootkit
VPS Version: 091001-0, 10/01/2009

Message: The process cannot access the file because it is being used by another process.

Cannot process “C:\Windows\System32\gasfkyalktqfuk.dll” file

On 10/02/09, I did an Avast! 4.8 bootscan

Full Scan ACDEFGHI

Bootscan Results:

Name of File Result Operat

Disck C: Boot Record Unable to scan:N… (blank space)

Disk D Boot Record Unable to Scan: N… (blank space)

Disk O Master Boot Record Unable to Scan: T… (blank space)

On 10/02/2009, I also did another MalwareBytes Full Scan in Windows Safety Mode:

mbam-log-2009-10-02 (11-34-03)

Full Scan: ABCDEFGHI

Objects Scanned 278966

Time elapsed 2hrs 5 min 1 sec

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

I am still getting the Avast! Malware siren and message.

I have read some of the other threads; I tried downloading RootRepeal.

I ran it and a winrar type box appears; I extracted the program to a folder in My Documents; however, I hav not been able to get RootRepeal to run and work.

What should I do now??

How do I get rid of the rootkit??

Thanks.

Hi there, try RootRepeal.

OK, I am using the RootRepeal.

I went RootRepeal>Settings> Options, and set Disk Access Level to High.

I then pressed Scan in lower left hand corner.

Now I have a list of about 60 or so items.

What should I do now???

Should I Wipe, Copy, Delete?? Delete Registry Key?? or, Kernal-mode Callbacks??

For each item, RootRepeal gives me Name, Image Path, Address, and Size.

I don’t really see one called \Win 32: Alureon-Da[Rtk]

Should RootRepeal be run in Windows Safe Mode?? I did not run it in Windows Safe Mode.

I only did a Driver Scan.

Run the driver scan again and when the scan is finished,click on “save report”.Save it somewhere where you can find it easily.Then attach the log to the forum.

OK, I ran this RootRepeal Driver Scan on the Special Level, Disk Access Level because they said you should use the default level which is Low Level, but I could not run Low Level.

This is the Scan Result:

ROOTREPEAL (c) AD, 2007-2009

Scan Start Time: 2009/10/03 15:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3

Drivers

Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xBA8C8000 Size: 57344 File Visible: - Signed: -
Status: -

Name: Aavmker4.SYS
Image Path: C:\WINDOWS\System32\Drivers\Aavmker4.SYS
Address: 0xA8DD8000 Size: 19072 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xBA779000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xAD0F4000 Size: 138496 File Visible: - Signed: -
Status: -

Name: AGRSM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AGRSM.sys
Address: 0xB8981000 Size: 1149888 File Visible: - Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xA915D000 Size: 60800 File Visible: - Signed: -
Status: -

Name: ASACPI.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ASACPI.sys
Address: 0xBADF4000 Size: 5152 File Visible: - Signed: -
Status: -

Name: aswFsBlk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
Address: 0xA8DA0000 Size: 32768 File Visible: - Signed: -
Status: -

Name: aswMon2.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswMon2.SYS
Address: 0xA74DC000 Size: 87424 File Visible: - Signed: -
Status: -

Name: aswRdr.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswRdr.SYS
Address: 0xA673E000 Size: 15136 File Visible: - Signed: -
Status: -

Name: aswSP.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswSP.SYS
Address: 0xA805F000 Size: 135168 File Visible: - Signed: -
Status: -

Name: aswTdi.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Address: 0xB2261000 Size: 41664 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xBA731000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBAFAF000 Size: 3072 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBAE4E000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBACB8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xA89DE000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xBA1E8000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA918000 Size: 53248 File Visible: - Signed: -
Status: -

Name: ctoss2k.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
Address: 0xB87C9000 Size: 204800 File Visible: - Signed: -
Status: -

Name: ctsfm2k.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
Address: 0xB87A2000 Size: 159744 File Visible: - Signed: -
Status: -

Name: ctusfsyn.sys
Image Path: C:\WINDOWS\system32\drivers\ctusfsyn.sys
Address: 0xA72C1000 Size: 162176 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA908000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBA1C8000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_nvata.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvata.sys
Address: 0xA8046000 Size: 102400 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADB0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xA9507000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xA8957000 Size: 4096 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xBACB0000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xA914D000 Size: 44544 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xB26BF000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xBA6C7000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBAE4C000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xBA749000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xBAB90000 Size: 21120 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000 Size: 134400 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys

(Continued) Driver Scan report from RootRepeal:

HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB82A3000 Size: 163840 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xA63D6000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xBA208000 Size: 52480 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xBA1F8000 Size: 42112 File Visible: - Signed: -
Status: -

(Continued) Driver Scan report from RootRepeal:

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xBA228000 Size: 36352 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xA814D000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xAD197000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA8A8000 Size: 37248 File Visible: - Signed: -
Status: -

Name:

(Continued) Driver Scan report from RootRepeal:

JGOGO.sys
Image Path: JGOGO.sys
Address: 0xBADAC000 Size: 6912 File Visible: - Signed: -
Status: -

Name: jraid.sys
Image Path: jraid.sys
Address: 0xBA8F8000 Size: 43648 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBAB78000 Size: 24576 File Visible: - Signed: -
Status: -

(Continued) Driver Scan report from RootRepeal:

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBADA8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xA5E6C000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB8A9A000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xBA69E000 Size: 92288 File Visible: - Signed: -
Status: -

Name: LVPr2Mon.sys
Image Path: C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
Address: 0xBACA0000 Size: 18944 File Visible: - Signed: -
Status: -

Name: mfehidk.sys
Image Path: C:\WINDOWS\system32\drivers\mfehidk.sys
Address: 0xA8080000 Size: 200928 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBAE50000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xBAB98000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBAB50000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA8D8000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xA6EDE000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xA80B2000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xB1EB3000 Size: 19072 File Visible: - Signed: -
Status: -

(Continued) Driver Scan report from RootRepeal:

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xB9143000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBAD48000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xBA5B9000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xBA5E4000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xB9EF7000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xB9F07000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB820A000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xB25C1000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xB2251000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xAD116000 Size: 162816 File Visible: - Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xBAAC8000 Size: 61824 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xB1EAB000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xBA611000 Size: 574976 File Visible: - Signed: -
Status: -

Name:

(Continued RootRepeal Driver Scan):

ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xB1EF0000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF9D5000 Size: 6057984 File Visible: - Signed: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xB8B09000 Size: 6132576 File Visible: - Signed: -
Status: -

Name: nvata.sys
Image Path: nvata.sys
Address: 0xBA718000 Size: 100736 File Visible: - Signed: -
Status: -

Name: nvatabus.sys
Image Path: nvatabus.sys
Address: 0xBA6E7000 Size: 100736 File Visible: - Signed: -
Status: -

Name: NVENETFD.sys
Image Path: C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
Address: 0xB25D1000 Size: 34176 File Visible: - Signed: -
Status: -

Name: nvnetbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
Address: 0xB9EFB000 Size: 13056 File Visible: - Signed: -
Status: -

Name: NVNRM.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\NVNRM.SYS
Address: 0xB8258000 Size: 307200 File Visible: - Signed: -
Status: -

Name: NVSNPU.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS
Address: 0xB8221000 Size: 225280 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xBA8B8000 Size: 61696 File Visible: - Signed: -
Status: -

Name: P17xfi.sys
Image Path: C:\WINDOWS\system32\drivers\P17xfi.sys
Address: 0xB881F000 Size: 1449984 File Visible: - Signed: -
Status: -

Name: p17xfilt.sys
Image Path: C:\WINDOWS\system32\drivers\p17xfilt.sys
Address: 0xB82CB000 Size: 1659008 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xB8AE1000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBAB30000 Size: 19712 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xBADBC000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xBA768000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBAE70000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBAB28000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB87FB000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB81F9000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBAC68000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBA928000 Size: 36320 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xB26F3000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xB9173000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xB9163000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xB9153000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBAC70000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xA8122000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBAE52000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xBA1D8000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA6079000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xA928E000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SASENUM.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
Address: 0xB7B65000 Size: 20480 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xAD0CF000 Size: 151552 File Visible: - Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Address: 0xBA700000 Size: 98304 File Visible: - Signed: -
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Address: 0xA6BA4000 Size: 40960 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xB9EEF000 Size: 15744 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xBA218000 Size: 64512 File Visible: - Signed: -
Status: -

Name: sfdrv01.sys
Image Path: sfdrv01.sys
Address: 0xBA5D3000 Size: 69632 File Visible: - Signed: -
Status: -

Name: sfhlp02.sys
Image Path: sfhlp02.sys
Address: 0xBAB40000 Size: 32768 File Visible: - Signed: -
Status: -

Name: sfsync02.sys
Image Path: sfsync02.sys
Address: 0xBAB38000 Size: 20544 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xBA6B5000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xA6C5C000 Size: 333952 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBADF6000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xBAA58000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xAD13E000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBAC60000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xB9133000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB819B000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBADE6000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBAB88000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xB2591000 Size: 59520 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xBAB80000 Size: 17152 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB8ABD000 Size: 147456 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xB1EBB000 Size: 26368 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xB26AF000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB8AF5000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA8E8000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xA916D000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xA8DC8000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA7337000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xBADAA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Now what should I do??

Do I need to do a Files Scan also??

Oops.Somehow,I gave you the wrong instruction in the first post. :o Please do the following

Open rootrepeal and go to the
http://billy-oneal.com/forums/rootRepeal/reportTab.png
tab
Then click on the “scan” button.
In the select scan dialog,check the following:

http://i35.tinypic.com/2ps3wh4.png

Click on ok.
Check the box for the C drive and let rootrepeal scan.The scan may take some time.
After the scan is done,click on “save report” and post the log on the forum.

OK, I am having big trouble getting RootRepeal to run, and I am following the instructions in the above post.

I have RootRepeal in a folder in my Windows Documents section; that is where I run the program from.

I have RootRepeal version 1.3.5.0

Its icon is a blue colored magnifying glass.

There is a DAT File next to the magnifying glass.

OK, I click on the magnifying glass icon, and then a dialog box appear.

One says:

“Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog” with an option in same said dialog box that says “OK”.

At the same time, there is another box which says “Initializing please wait.”

Well, nothing really happens unless I try to close the dialog box with the message about the Disk Access Level.

This takes several attempts to close, and the dialog box does not close immediately if I either press “OK” or try to close the box with the computer Mouse.

However, if I try and close it several times with the Mouse, the dialog and initializing boxes soon disappear.

Then, the RootRepeal Screen appears.

I then go to Settings tab > Options; I have tried adjusting and running RootRepeal on the Low, Mid, and High Level Disk Access Levels.

Then I go to the Reports tab, and follow the instructions given in the above post.

Then, after following your instructions, the same thing happens each time.

A message in the RootRepeal box appears which says "Initializing, please wait . . . . " and I can see in the lower left hand corner the word "Scanning . . . ".

But nothing happens.

In fact, the computer screen freezes up; I noticed the time on my the bottom of the computer screen (where the START button bar runs across the screen) froze to the time I started the RootRepeal Scan.

So, even though I waited 20 minutes and it was 3:20PM, the time on my computer still said 3:00PM.

What am I doing wrong??

How can I get RootRepeal to work???

Try deleting the version of rootrepeal that you have and download it again
http://rootrepeal.psikotick.com/RootRepeal.zip

I actually had downloaded RootRepeal twice in two separate folders.

I deleted one, and dowloaded the new version at the link you provided, but forgot to reboot the system when I deleted the original. Realizing this, I think I then rebooted

Then I deleted and rebooted for the other; then I deleted and rebooted the new version from the link; then I downloaded RootRepeal again.

Unfortunately, the same thing is happening and I am still getting the exact same message and RootRepeal doesn’t seem to want to work and the exact same thing is happening:

OK, I click on the magnifying glass icon, and then a dialog box appear.

One says:

“Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog” with an option in same said dialog box that says “OK”.

At the same time, there is another box which says “Initializing please wait.”

Well, nothing really happens unless I try to close the dialog box with the message about the Disk Access Level.

This takes several attempts to close, and the dialog box does not close immediately if I either press “OK” or try to close the box with the computer Mouse.

However, if I try and close it several times with the Mouse, the dialog and initializing boxes soon disappear.

Then, the RootRepeal Screen appears.

I then go to Settings tab > Options; I have tried adjusting and running RootRepeal on the Low, Mid, and High Level Disk Access Levels.

Then I go to the Reports tab, and follow the instructions given in the above post.

Then, after following your instructions, the same thing happens each time.

A message in the RootRepeal box appears which says "Initializing, please wait . . . . " and I can see in the lower left hand corner the word "Scanning . . . ".

But nothing happens.

In fact, the computer screen freezes up.

I don’t know why RootRepeal doesn’t work; I have also tried running RootRepeal in Safety Mode, and the exact same thing happens.

Is perhaps Avast! 4.8 not allowing it to run?? Does Avast! 4.8 run a firewall that blocks programs like RootRepeal from working???

The RootRepeal program seems like a very basic type of computer program.

Should I have RootRepeal’s Disk Access Level set at a certain level??

I always get the “Could not read boot sector etc.” diaalog box whenever double click on the RootRepeal icon and try to get it started.

I have Windows Home Edition XP.

The only anti-virus programs I currently have are Avast! 4.8, SuperAnti-Spyware Free Edition, and Malwarebytes’ Anti-Malware.

Besides RootRepeal, are there any other anti-rootkit programs I could try to running???

How bad is having this Rootkit on one’s computer??

Should I no longer work on this computer?? I have been still using the computer but not a lot.

It seems to run fine, and there isn’t a whole lot of spyware websites popping up.

But obviously I want to get rid of the rootkit.

Also, this is the message I know receive from Avast! 4.8 when I click on the Avast! blue ball icon on my computer’s Start Screen.

It is slightly different from the message a few days ago in the OP:

Malware Was Found

File Name: c:\windows\temp\gaskyuwapntsetf.tmp

Malware Name: Win32: Alureon-DA[Rtk}

Malware Type: Rootkit

VPS Version: 091006-0, 10/06/2009

I cannot move the Rootkit to chest.

When I close up Avast!, I an Avast! box appears with this message:

“avast! has detected a virus in the operating memory. Since it is very dangerous to work with the computer while the virus is active”, Avast! recommends a BootScan.

I have run the BootScan before, and that doesn’t detect the Rootkit and takes a lot of time, so I didn’t run the BootScan again.

Sorry, can’t seem to delete this post.

I actually had downloaded RootRepeal twice in two separate folders.

I deleted one, and dowloaded the new version at the link you provided, but forgot to reboot the system when I deleted the original. Realizing this, I think I then rebooted

Then I deleted and rebooted for the other; then I deleted and rebooted the new version from the link; then I downloaded RootRepeal again.

Unfortunately, the same thing is happening and I am still getting the exact same message and RootRepeal doesn’t seem to want to work and the exact same thing is happening:

OK, I click on the magnifying glass icon, and then a dialog box appear.

One says:

“Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog” with an option in same said dialog box that says “OK”.

At the same time, there is another box which says “Initializing please wait.”

Well, nothing really happens unless I try to close the dialog box with the message about the Disk Access Level.

This takes several attempts to close, and the dialog box does not close immediately if I either press “OK” or try to close the box with the computer Mouse.

However, if I try and close it several times with the Mouse, the dialog and initializing boxes soon disappear.

Then, the RootRepeal Screen appears.

I then go to Settings tab > Options; I have tried adjusting and running RootRepeal on the Low, Mid, and High Level Disk Access Levels.

Then I go to the Reports tab, and follow the instructions given in the above post.

Then, after following your instructions, the same thing happens each time.

A message in the RootRepeal box appears which says "Initializing, please wait . . . . " and I can see in the lower left hand corner the word "Scanning . . . ".

But nothing happens.

In fact, the computer screen freezes up.

I don’t know why RootRepeal doesn’t work; I have also tried running RootRepeal in Safety Mode, and the exact same thing happens.

Is perhaps Avast! 4.8 not allowing it to run?? Does Avast! 4.8 run a firewall that blocks programs like RootRepeal from working???

The RootRepeal program seems like a very basic type of computer program.

Should I have RootRepeal’s Disk Access Level set at a certain level??

I always get the “Could not read boot sector etc.” diaalog box whenever double click on the RootRepeal icon and try to get it started.

I have Windows Home Edition XP.

The only anti-virus programs I currently have are Avast! 4.8, SuperAnti-Spyware Free Edition, and Malwarebytes’ Anti-Malware.

Besides RootRepeal, are there any other anti-rootkit programs I could try to running???

How bad is having this Rootkit on one’s computer??

Should I no longer work on this computer?? I have been still using the computer but not a lot.

It seems to run fine, and there isn’t a whole lot of spyware websites popping up.

But obviously I want to get rid of the rootkit.

Also, this is the message I know receive from Avast! 4.8 when I click on the Avast! blue ball icon on my computer’s Start Screen.

It is slightly different from the message a few days ago in the OP:

Malware Was Found

File Name: c:\windows\temp\gaskyuwapntsetf.tmp

Malware Name: Win32: Alureon-DA[Rtk}

Malware Type: Rootkit

VPS Version: 091006-0, 10/06/2009

I cannot move the Rootkit to chest.

When I close up Avast!, I an Avast! box appears with this message:

“avast! has detected a virus in the operating memory. Since it is very dangerous to work with the computer while the virus is active”, Avast! recommends a BootScan.

I have run the BootScan before, and that doesn’t detect the Rootkit and takes a lot of time, so I didn’t run the BootScan again.

Download combofix from Here or Here and save it to your DESKTOP

Disable any antivirus and anti-spyware applications before running combofix.
Double click on combofix.exe and if combofix asks you to install the microsoft windows recover console,click on “yes”

http://img.photobucket.com/albums/v706/ried7/RC1.png

After the recovery console is installed,you should see the following message

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on yes to continue scanning for malware.

The scan will take atleast 20 to 30 minute to complete.Please don’t touch your keyboard or click on the combofix window while it is scanning.Doing so might cause it to stall.
After the scan is finish,please post the log file.It should be in C:\ComboFix.txt

How do I disable Avast! 4.8 scanner???

I thought Avast! 4.8 always runs and cannot be disabled.

Do I have to uninstall Avast! 4.8 in order to run ComboFix???

I looked at the Avast! Help section (FAQ, etc.); I found no answers.

Right click the ‘a’ blue icon and choose the last option to stop the resident protection.

No.