Globalroot/systemroot removal problem, RootRepeal not working

Archive
1

hello, i have essentially the same problem, in addition i cannot get RootRepeal to work. Below is my GMER log:


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-29 20:54:54
Windows 6.0.6002 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT 884DF048 ZwAlertResumeThread
SSDT 884CA048 ZwAlertThread
SSDT 88373D30 ZwAllocateVirtualMemory
SSDT 8793D8B8 ZwAlpcConnectPort
SSDT 883D2048 ZwAssignProcessToJobObject
SSDT 88413CC0 ZwCreateMutant
SSDT 884E0C78 ZwCreateSymbolicLinkObject
SSDT 884DBAD0 ZwCreateThread
SSDT 88374048 ZwDebugActiveProcess
SSDT 883720D0 ZwDuplicateObject
SSDT 88374F40 ZwFreeVirtualMemory
SSDT 88465048 ZwImpersonateAnonymousToken
SSDT 8842F390 ZwImpersonateThread
SSDT 87833578 ZwLoadDriver
SSDT 88374D60 ZwMapViewOfSection
SSDT 8846C048 ZwOpenEvent
SSDT 883723B0 ZwOpenProcess
SSDT 87946D98 ZwOpenProcessToken
SSDT 87950B60 ZwOpenSection
SSDT 883721E0 ZwOpenThread
SSDT 8843E008 ZwProtectVirtualMemory
SSDT 878E2138 ZwResumeThread
SSDT 87998118 ZwSetContextThread
SSDT 883749C8 ZwSetInformationProcess
SSDT 88365048 ZwSetSystemInformation
SSDT 88488460 ZwSuspendProcess
SSDT 884BC048 ZwSuspendThread
SSDT 87914AD8 ZwTerminateProcess
SSDT 8795B068 ZwTerminateThread
SSDT 878DD380 ZwUnmapViewOfSection
SSDT 88373660 ZwWriteVirtualMemory
SSDT 8843E930 ZwCreateThreadEx

Code 877C6440 ZwEnumerateKey
Code 877EC340 ZwFlushInstructionCache
Code 877BB2E5 IofCallDriver
Code 877B033E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 81C60912 5 Bytes JMP 877BB2EA
.text ntkrnlpa.exe!IofCompleteRequest 81C6097F 5 Bytes JMP 877B0343
.text ntkrnlpa.exe!KeSetEvent + 11D 81CC8860 8 Bytes [48, F0, 4D, 88, 48, A0, 4C, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 81CC8874 4 Bytes [30, 3D, 37, 88]
.text ntkrnlpa.exe!KeSetEvent + 13D 81CC8880 4 Bytes [B8, D8, 93, 87]
.text ntkrnlpa.exe!KeSetEvent + 191 81CC88D4 4 Bytes JMP BEECD15A
.text ntkrnlpa.exe!KeSetEvent + 1F5 81CC8938 4 Bytes [C0, 3C, 41, 88] {SAR BYTE [ECX+EAX*2], 0x88}
.text ...
? C:\Windows\system32\drivers\rootrepeal.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3760] kernel32.dll!DuplicateConsoleHandle + 196 76DA9104 7 Bytes JMP 00AF0034

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS
AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\MSIVXifdxxbmundovyobvptwpemrierjqibmx.sys (*** hidden *** ) [SYSTEM] MSIVXserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXifdxxbmundovyobvptwpemrierjqibmx.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXifdxxbmundovyobvptwpemrierjqibmx.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXfptkqskvyoypmbsrexmiigsjynywfpcg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXempmvocctvlhuifeimtfdtqcwnqrblrg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXifdxxbmundovyobvptwpemrierjqibmx.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXifdxxbmundovyobvptwpemrierjqibmx.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXfptkqskvyoypmbsrexmiigsjynywfpcg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXempmvocctvlhuifeimtfdtqcwnqrblrg.dll

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\drivers\MSIVXifdxxbmundovyobvptwpemrierjqibmx.sys 78336 bytes executable <-- ROOTKIT !!!
File C:\Windows\System32\MSIVXcount 4 bytes
File C:\Windows\System32\MSIVXempmvocctvlhuifeimtfdtqcwnqrblrg.dll 0 bytes
File C:\Windows\System32\MSIVXfptkqskvyoypmbsrexmiigsjynywfpcg.dll 25600 bytes executable

---- EOF - GMER 1.0.15 ----





I have downloaded Avenger and would just like to know what files to have it delete. Any help would be greatly appreciated. Thanks!


-J.

 

[edit: changed title to better reflect the issue.]

Message Edited by MikeLee on 06-30-2009 07:33 PM