Finding Trace Elements of Rootkits - Help

June 27, 2011 at 19:34:31
Specs: Windows 7, Intel Core 2 Duo - 4GB RAM
Over the course of the last two weeks I have been sensing the tell tale signs of rootkits. I have however been unsuccessful in pinpointing where its at. I am no stranger to dealing with Malware, but im lost on this. It is possible I am in fact wrong, and have no rootkit anymore, however after dealing extensively with them in the past I would rather nip it in the butt now if so. While I am no expert in malware, I am in the software industry and understand my way around the windows environment.

I am using Windows 7 HP 64 bit
Intel Core 2 Duo 2.2Ghz
I have never posted on here im not sure what info you need.

I have found some folders which are locked (which i cant reset in security options, something which has never happened to me on win 7) along with changes in the general behavior of windwos (vague i know). I have ripped through using just about every rootkit scanner i can find.

RegRun - suspicious HP drivers
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
Windows 6.1.7601

device: opened successfully
user: error reading MBR
error: Read The handle is invalid.
kernel: error reading MBR
TDSS Killer - locked/suspicious sptd.sys (located in the system32)
CatchME found
detected NTDLL code modification:
ZwEnumerateKey 0 != 47,
ZwQueryKey 0 != 19,
ZwOpenKey 0 != 15,
ZwClose 0 != 12,
ZwEnumerateValueKey 0 != 16,
ZwQueryValueKey 0 != 20,
ZwOpenFile 0 != 48,
ZwQueryDirectoryFile 0 != 50,
ZwQuerySystemInformation 0 != 51Initialization error
Sophos found hidden files in



C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Log\ERRORLOG.6



C:\Program Files (x86)\uTorrent\uTorrent.exe




C:\Program Files (x86)\Alcohol Soft\Alcohol 120\AxDTA.exe

C:\Program Files\MATLAB\R2010a\bin\win64\osg55-osgUtil.dll

T:\Dropbox\Public\Huberts Hosted Softwares\RegRun Reanimator\GWebUpdate.exe\


low orbit ion cannon - easy DDOS tool
hacker defender - easy rootkit
stoned bootkit

I will stop here until further action is requested.
I have my Hijack this log and anything else needed.

In advance thanks for everything.


See More: Finding Trace Elements of Rootkits - Help

Report •

June 27, 2011 at 19:55:27
Have you tried Prevx 3.0? This will scan for rootkits for free. Here's a link to download it:

If Prevx freezes at "Analyzing the Master boot record" then you have a TDSS rootkit and your MBR is corrupt. So you would need to run recovery console using your Windows CD and run the Fixmbr command.

If you have any questions, please let me know. Thanks.

Best Regards,
Embraced Support

Report •

June 27, 2011 at 20:07:00

Try the following:

Download aswMBR:
Save to your Desktop.

Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan

Upon completion of the scan, click the Save Log button

>>Save the aswMBR log to your Desktop, and post it in your reply.<<

Next, download ComboFix:

Save to your Desktop
Double-click ComboFix.exe to run the program

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your Desktop, and if interrupted may leave your Desktop disabled. If this occurs, please reboot to restore the Desktop.

When the scan completes, and it may take a while, a text window with the CF log opens on your Desktop. The CF log is also found at C:\ComboFix.txt

>>Please post this log in your reply to analyze it, and let you know what to do next.<<

However, because of the potential size of this report, please upload ComboFix.txt to the Uploading website:

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the ComboFix.txt file, and click: 'Open'

You will see the following:
Your file has been uploaded successfully: (Name and size of the file)

Copy the 'Download link' provided, and post it in your reply.

Retired - Doin' Dis, Dat, and slapping malware.

Report •

June 27, 2011 at 21:18:51
THANKS much for the quick replys. I figured it was a TDSS, spent the last days researching them. I will try these options when i get home and post whether things work.

Report •

Related Solutions

June 27, 2011 at 22:03:02
The aswMBR is a diagnostic tool.

ComboFix will do the fixing, but, may require further action. For that reason, will need to look at its log.

Will look for your reply...

Retired - Doin' Dis, Dat, and slapping malware.

Report •

June 28, 2011 at 13:20:07

Previx did not stall on reading the MBR.
The aswMBR log is as follows:

aswMBR version Copyright(c) 2011 AVAST Software
Run date: 2011-06-27 23:28:32
23:28:32.760 OS Version: Windows x64 6.1.7601 Service Pack 1
23:28:32.760 Number of processors: 2 586 0x170A
23:28:32.761 ComputerName: HUBERT-HIMSELF UserName: Hubert
23:28:35.559 Initialize success
23:29:18.446 AVAST engine defs: 11062701
23:29:41.602 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:29:41.607 Disk 0 Vendor: SAMSUNG_ 2AC1 Size: 476940MB BusType: 3
23:29:41.613 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000083
23:29:41.617 Disk 1 Vendor: RICOH 02 Size: 476940MB BusType: 0
23:29:41.623 Disk 2 \Device\Harddisk2\DR2 -> \Device\00000084
23:29:41.628 Disk 2 Vendor: RICOH 02 Size: 476940MB BusType: 0
23:29:41.634 Disk 0 MBR read error 0
23:29:41.638 Disk 0 MBR scan
23:29:41.642 Disk 0 unknown MBR code
23:29:41.645 MBR BIOS signature not found 0
23:29:41.649 Service scanning
23:29:42.947 Disk 0 trace - called modules:
23:29:42.967 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys spsh.sys hal.dll
23:29:43.306 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004cf6320]
23:29:43.315 3 CLASSPNP.SYS[fffff88001f9543f] -> nt!IofCallDriver -> [0xfffffa8004b009f0]
23:29:43.324 5 ACPI.sys[fffff8800103b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004b05050]
23:29:45.749 AVAST engine scan C:\Windows
00:35:43.002 AVAST engine scan C:\Users\Hubert
00:48:21.939 AVAST engine scan C:\ProgramData
01:07:30.966 Scan finished successfully
09:00:43.046 Disk 0 MBR has been saved successfully to "C:\Users\Hubert\Desktop\MBR.dat"
09:00:43.051 The log file has been saved successfully to "C:\Users\Hubert\Desktop\aswMBR.txt"

I have not yet run combofix - as im at work.
Thanks much for the help

Report •

June 28, 2011 at 19:59:16
To keep them from interfering with the repairs, be sure to temporarily disable all AntiVirus/AntiSpyware software while these steps are being completed.

This can usually be done through right-clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Some disabling tips, if needed:

Retired - Doin' Dis, Dat, and slapping malware.

Report •

Ask Question