Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Operating Memory Scanner, And Rootkits?


  • This topic is locked This topic is locked
10 replies to this topic

#1 ShrOomiN

ShrOomiN

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:05 AM

Posted 11 April 2008 - 01:18 PM

Howdy, I was using avast to look for some virus and kill them dead. It brought to my attention though that I had rootkit infections, in either my operating memory, or elsewhere can't remember exactly where it said. It asked me to reboot, and it would it eliminate the infection but it only bought the same message to me and rebooted once more and repeated the process. So there's many things I can do from here, but I think I'll be good if someone could just point me in the direction of an operating memory scanner. Btw operating memory refers to RAM, right?

Edited by ShrOomiN, 11 April 2008 - 01:25 PM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:05 AM

Posted 12 April 2008 - 12:56 PM

rootkits run in ram/real memory but hide deep in your computer, loading early in the boot cycle to stay hidden

newer anti-malware try to stop and find them but these are nasty bugers and it's best to get trained experts to help

http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
Chewy

No. Try not. Do... or do not. There is no try.

#3 ShrOomiN

ShrOomiN
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:05 AM

Posted 15 April 2008 - 06:11 AM

So what I should just post a Hijack-This Log.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:05 AM

Posted 15 April 2008 - 06:29 AM

Most good scanners scan memory, the question is after they unload the maliscous code from ram can they kill the rootkit so it can't reload?


To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system.


I am sure avast would have a report/log or two with some clues
Chewy

No. Try not. Do... or do not. There is no try.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:05 AM

Posted 15 April 2008 - 08:40 AM

It brought to my attention though that I had rootkit infections

Did avast provide a specific file name associated with this malware threat and if so, where is it located (full file path) at on your system?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 ShrOomiN

ShrOomiN
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:05 AM

Posted 15 April 2008 - 09:30 PM

Don't believe so but I'll double check, I intend on doing another scan sometime during this night before I finally sleep.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:05 AM

Posted 16 April 2008 - 08:03 AM

If you suspect a rootkit, use AVG Anti-Rootkit, Sophos Anti-rootkit or Panda AntiRootkit.

Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 ShrOomiN

ShrOomiN
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:05 AM

Posted 16 April 2008 - 11:52 PM

Wow whatever is in my computer is really kicking it up a notch. Suddenly like after the last post, in the thread upon start-up my computer was running so slow. I had to keep it running for a minute by like opening and closing things repeatedly, and just generally being a pain. It was working though, but it seems to be drastically loosing it's effect, it took my like 20 minutes to get onto this website and start typing this.

Anyway here is what I've done thus far, I used the Sophos Anti-Rootkit and eliminated everything in the Avast log I found that Avast labeled as dangerous/root-kit/dangerous root-kit. So without further ado I'm going to post a Hi-Jack this log. I'm also going to keep this computer on for as long as possible, i don't want my next boot up to be my last. Well this is what i get for rarely doing maintenance.

Thanks for everything so far guys.

Edited by ShrOomiN, 16 April 2008 - 11:53 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:05 AM

Posted 17 April 2008 - 08:33 AM

Before posting a hijackthis log.

If your computer seems to be slow, read Slow Computer/Browser? Check here first; it may not be malware. There are reasons for slowness besides malware - i.e. disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, not enough RAM, dirty hardware components, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so cleaning and regular maintenance is essential.
Note: If you are not on a local area network (LAN), disable the Workstation Service which creates and maintains client network connections to remote servers and that should also help to speed up your boot time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 ShrOomiN

ShrOomiN
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:05 AM

Posted 17 April 2008 - 12:18 PM

Alright thanks for the additional info, I don't think this is innocent though, and I'm decent enough with computers to of been familiar with what was on that thread, but the log is posted now, thanks again for everything Quietman7, and DaChew.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:05 AM

Posted 17 April 2008 - 12:36 PM

You're welcome on behalf of the Bleeping Computer community.

Your hijackthis log is posted here.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Thanks for your cooperation and good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users