Rootkit removal please help I feel like tearing my hair out

[hre2stay]

Number 3

They might not all be in the exact order they were. If this is a problem I still have the original

[attachment deleted by admin]

[ale52]

In my experience it's best to save your data and reformat.  Rootkits are almost impossible to completely get rid of.  Good luck trying all the other things.

Alan <>< 

[evilfantasy]

Rootkits are almost impossible to completely get rid of.

Only to an untrained eye...

How is the computer running now?

[ale52]

"Only to an untrained eye..."  You are absolutely right   I'm glad there are folks that can take the time to diagnose and get it fixed.  Unfortunately for me I don't have that luxury as everyone wants it NOW. 

Thanks for taking the time.

Alan <>< 

[evilfantasy]

At premium rates it's too expensive for the customer. Here we have the luxury of time.

I haven't met a rootkit in a forum setting I couldn't find.... yet!

Besides, not to insult hre2stay, but usually when someone says they have a rootkit it usually isn't the case. They are way harder to detect/notice then they are to find/remove

[hre2stay]

I ran AVG8 rootkit scanner and that was what told me it was a rootkit. I am fairly experienced and can get rid of most viruses but this had me flummoxed. Anyhoo what would you like me to do next?

[evilfantasy]

Can you run a new scan get a log from AVG Antirootkit?

[hre2stay]

Ill try but it usually gives me a BSOD

[evilfantasy]

Are you sure that the file path was right from the first post?

C:\WINDOWS\System32\Drivers\a6dkvma6.SYS

[hre2stay]

Yeah that was the 1st 1. When deleted it duplicates itself

Its scanning now n came up with this one

C:\WINDOWS\System32\Drivers\aowla604.SYS

[evilfantasy]

I'm not sure these are rootkit files.

Run GMER again please. Read the instructions carefully please. I don't need the whole log from the default settings.

Download GMER and save it to your desktop

• Unzip (extract) it to your desktop.
• Disconnect from Internet and close all running programs.
• There is a small chance this application may crash your computer so save any work you have open.
• Double-click gmer.exe to run it.
  
• Let the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO
  
• Click the Rootkit tab.
  
• Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
  
• Then click the Scan button. Wait for the scan to finish.
  
• Once done, click the Copy button.
  
• This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop.
  
• Add this log to your next reply.

NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.

[hre2stay]

Having ran GMER again it came out with even more text files. I was pretty sure I hadnt clicked the show all box the 1st time and I hadn't. In fact it wouldnt even let me put a tick in the check box. To prove this I printed the screen. It came up with hundreds upon hundreds of text files again as the picture proves.

http://i22.photobucket.com/albums/b326/Hre2stay/GMERscreenshot.jpg

Attached are the REG items it came up with. I didnt bother adding the text files as there were hunderds again


[attachment deleted by admin]

[evilfantasy]

I don't know why it's coming out like that. It should be something  like this.

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-24 12:10:19
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT \??\C:\WINDOWS\system32\vsdatant.sys ZwConnectPort
SSDT \??\C:\WINDOWS\system32\vsdatant.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BA437E90] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CREATE [BA431B50] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CLOSEIRP_MJ_READ [BA431B50] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_INTERNAL_DEVICE_CONTROL [BA431B50] vsdatant.sys

---- EOF - GMER 1.0.10 ----


Download Panda Anti-Rootkit.zip

* Unzip it and run the PAVARK.exe file.
* Tick the box that says In depth scan and follow the on screen instructions.
* Let me know the results in your reply.

[hre2stay]

Will it run in safe mode because if not its likely to BSOD

[evilfantasy]

It should run in safe mode.