A scan of my drive indicated the presence of a rootkit virus - how do i remove this completely?SCAN RESULTSGMER 1.0.15.15530 - http://www.gmer.netRootkit scan 2011-02-23 08:46:15Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 TOSHIBA_MK1234GSX rev.AH001DRunning: gmer.exe; Driver: C:\DOCUME~1\ADMINS~1\LOCALS~1\Temp\fftoapoc.sys---- System - GMER 1.0.15 ----Code \SystemRoot\system32\drivers\zmkkpebciviax9.sys ZwEnumerateKey [0xBA3BDAA6]Code \SystemRoot\system32\drivers\zmkkpebciviax9.sys ObInsertObject---- Kernel code sections - GMER 1.0.15 ----.text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + 153 805327D2 5 Bytes JMP BA3CB0EA \SystemRoot\system32\drivers\zmkkpebciviax9.sysPAGE ntoskrnl.exe!ObInsertObject 805641A3 5 Bytes JMP BA3BDBB0 \SystemRoot\system32\drivers\zmkkpebciviax9.sysPAGE ntoskrnl.exe!ZwEnumerateKey 8056EE68 5 Bytes JMP BA3BDAAA \SystemRoot\system32\drivers\zmkkpebciviax9.sys? C:\WINDOWS\system32\drivers\zmkkpebciviax9.sys The system cannot find the path specified.? C:\DOCUME~1\ADMINS~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !---- User code sections - GMER 1.0.15 ----.text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 0088000A .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 0089000A .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 0087000C .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!GetForegroundWindow 77D4C4AE 5 Bytes JMP 00EC000A .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 00EA000A .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!WindowFromPoint 77D4C57E 5 Bytes JMP 00EB000A .text C:\WINDOWS\system32\svchost.exe[620] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 00E3000A .text C:\WINDOWS\Explorer.EXE[1040] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00B4000A .text C:\WINDOWS\Explorer.EXE[1040] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00BD000A .text C:\WINDOWS\Explorer.EXE[1040] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00B3000C ---- Devices - GMER 1.0.15 ----AttachedDevice \FileSystem\Ntfs \Ntfs zmkkpebciviax9.sysDevice \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8B0E839BDevice \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8B0E839BDevice \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8B0E839BDevice \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1234GSX_______________________AH001D__#4&322daa1&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found---- Services - GMER 1.0.15 ----Service C:\WINDOWS\system32\drivers\zmkkpebciviax9.sys (*** hidden *** ) [SYSTEM] zmkkpebciviax9 <-- ROOTKIT !!!---- Registry - GMER 1.0.15 ----Reg HKLM\SYSTEM\ControlSet001\Services\zmkkpebciviax9 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\zmkkpebciviax9@Type 1Reg HKLM\SYSTEM\ControlSet001\Services\zmkkpebciviax9@Start 1Reg HKLM\SYSTEM\ControlSet001\Services\zmkkpebciviax9@ErrorControl 0Reg HKLM\SYSTEM\ControlSet001\Services\zmkkpebciviax9@ImagePath system32\drivers\zmkkpebciviax9.sysReg HKLM\SYSTEM\ControlSet001\Services\zmkkpebciviax9@DisplayName zmkkpebciviax9.sysReg HKLM\SYSTEM\ControlSet001\Services\zmkkpebciviax9@Group FilterReg HKLM\SYSTEM\ControlSet001\Services\zmkkpebciviax9@hwbls 0xF5 0xA5 0x8F 0x43 ...Reg HKLM\SYSTEM\ControlSet001\Services\zmkkpebciviax9@hwsht 0x00 0x00 Reg HKLM\SYSTEM\ControlSet001\Services\zmkkpebciviax9@hwbcr 0x00 0x00 0x00 0x00 ...Reg HKLM\SYSTEM\ControlSet001\Services\zmkkpebciviax9\Security (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\zmkkpebciviax9\Security@Security 0x01 0x00 0x14 0x80 ...Reg HKLM\SYSTEM\CurrentControlSet\Services\zmkkpebciviax9 Reg HKLM\SYSTEM\CurrentControlSet\Services\zmkkpebciviax9@Type 1Reg HKLM\SYSTEM\CurrentControlSet\Services\zmkkpebciviax9@Start 1Reg HKLM\SYSTEM\CurrentControlSet\Services\zmkkpebciviax9@ErrorControl 0Reg HKLM\SYSTEM\CurrentControlSet\Services\zmkkpebciviax9@ImagePath system32\drivers\zmkkpebciviax9.sysReg HKLM\SYSTEM\CurrentControlSet\Services\zmkkpebciviax9@DisplayName zmkkpebciviax9.sysReg HKLM\SYSTEM\CurrentControlSet\Services\zmkkpebciviax9@Group FilterReg HKLM\SYSTEM\CurrentControlSet\Services\zmkkpebciviax9@hwbls 0xF5 0xA5 0x8F 0x43 ...Reg HKLM\SYSTEM\CurrentControlSet\Services\zmkkpebciviax9@hwsht 0x00 0x00 Reg HKLM\SYSTEM\CurrentControlSet\Services\zmkkpebciviax9@hwbcr 0x00 0x00 0x00 0x00 ...Reg HKLM\SYSTEM\CurrentControlSet\Services\zmkkpebciviax9\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\zmkkpebciviax9\Security@Security 0x01 0x00 0x14 0x80 ...Reg HKLM\SYSTEM\ControlSet003\Services\zmkkpebciviax9 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\zmkkpebciviax9@Type 1Reg HKLM\SYSTEM\ControlSet003\Services\zmkkpebciviax9@Start 1Reg HKLM\SYSTEM\ControlSet003\Services\zmkkpebciviax9@ErrorControl 0Reg HKLM\SYSTEM\ControlSet003\Services\zmkkpebciviax9@ImagePath system32\drivers\zmkkpebciviax9.sysReg HKLM\SYSTEM\ControlSet003\Services\zmkkpebciviax9@DisplayName zmkkpebciviax9.sysReg HKLM\SYSTEM\ControlSet003\Services\zmkkpebciviax9@Group FilterReg HKLM\SYSTEM\ControlSet003\Services\zmkkpebciviax9@hwbls 0xF5 0xA5 0x8F 0x43 ...Reg HKLM\SYSTEM\ControlSet003\Services\zmkkpebciviax9@hwsht 0x00 0x00 Reg HKLM\SYSTEM\ControlSet003\Services\zmkkpebciviax9@hwbcr 0x00 0x00 0x00 0x00 ...Reg HKLM\SYSTEM\ControlSet003\Services\zmkkpebciviax9\Security (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\zmkkpebciviax9\Security@Security 0x01 0x00 0x14 0x80 ...Reg HKLM\SYSTEM\ControlSet004\Services\zmkkpebciviax9 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\zmkkpebciviax9@Type 1Reg HKLM\SYSTEM\ControlSet004\Services\zmkkpebciviax9@Start 1Reg HKLM\SYSTEM\ControlSet004\Services\zmkkpebciviax9@ErrorControl 0Reg HKLM\SYSTEM\ControlSet004\Services\zmkkpebciviax9@ImagePath system32\drivers\zmkkpebciviax9.sysReg HKLM\SYSTEM\ControlSet004\Services\zmkkpebciviax9@DisplayName zmkkpebciviax9.sysReg HKLM\SYSTEM\ControlSet004\Services\zmkkpebciviax9@Group FilterReg HKLM\SYSTEM\ControlSet004\Services\zmkkpebciviax9@hwbls 0xF5 0xA5 0x8F 0x43 ...Reg HKLM\SYSTEM\ControlSet004\Services\zmkkpebciviax9@hwsht 0x00 0x00 Reg HKLM\SYSTEM\ControlSet004\Services\zmkkpebciviax9@hwbcr 0x00 0x00 0x00 0x00 ...Reg HKLM\SYSTEM\ControlSet004\Services\zmkkpebciviax9\Security (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\zmkkpebciviax9\Security@Security 0x01 0x00 0x14 0x80 ...---- Disk sectors - GMER 1.0.15 ----Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; ---- Files - GMER 1.0.15 ----File C:\WINDOWS\system32\drivers\zmkkpebciviax9.sys 79488 bytes executable <-- ROOTKIT !!!---- EOF - GMER 1.0.15 ----1 person needs an answerI do too

Hi,1. When do you get this error code?I would ask you to run the online virus scan and check. Sometimes the installed security program might not be just enough. I also recommend you to update your security software regularly.a. Follow the link below to run the free online scan:http://onecare.live.com/site/en-us/default.htmb. Run the Microsoft Malicious Removal Tool.Microsoft Malicious Removal Tool - 32 bithttp://www.microsoft.com/downloads/details.aspx?FamilyID=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=enMicrosoft Malicious Removal Tool - 64 bithttp://www.microsoft.com/downloads/details.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=enAlso I would recommend you to install the free security software from Microsoft. Which is easy to install and updates automaticallyHere is the link to download it.http://www.microsoft.com/securepcHope this helps.Thanks and Regards:Shekhar S - Microsoft Support. Visit our Microsoft Answers Feedback Forum and let us know what you think. If this post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster.

When you get rid of the rootkit I suggest you update XP to Service Pack 3 as XP Service Pack 2 support ended July 13, 2010. You may wish to post in a different forum where they have knowledge of Gmer logs, suggest, http://www.bleepingcomputer.com/forums/ or http://www.techsupportforum.com/forums/Do not use the current Malicious Software Removal Tool as it has vunerabilities. A new version will be released March 8, 2011. http://www.microsoft.com/technet/security/advisory/2491888.mspx