Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit.dropper/botnet


  • Please log in to reply
12 replies to this topic

#1 rossmc

rossmc

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 24 January 2009 - 08:32 AM

This is my first post (apart from my intro one)...I had a trojan horse downloader.generic_r.Bj on my laptop and followed the detailed instructions on the forums here.

So basically I:

- Scanned with malwarebyte's anti-malware
- Followed by SDFix
- Then ATF Cleaner
- Then Superantispyware (It was at this point that the rootkit.dropper/botnet was discovered - SAS looked like it managed to get rid of it though!)
- Then another MAM scan (Everything looked clean)
- Then followed the restore point instructions
- Then ran an online kapersky anti-virus scan (This is where the rootkit.dropper/botnet showed up again)

I couldn't see where to generate a log from my kapersky scan but below is the SAS scan. As I said, SAS looked like it had removed the rootkit.dropper/botnet but it clearly hasn't.

I know they can be tricky to remove...where do I go from here? All help is hugely appreciated.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/23/2009 at 06:40 PM

Application Version : 4.25.1012

Core Rules Database Version : 3723
Trace Rules Database Version: 1697

Scan type : Complete Scan
Total Scan Time : 04:30:42

Memory items scanned : 232
Memory threats detected : 1
Registry items scanned : 5192
Registry threats detected : 1
File items scanned : 120245
File threats detected : 6

Rootkit.Dropper/BotNet
C:\WINDOWS\SYSTEM32\KVWYQI.DLL
C:\WINDOWS\SYSTEM32\KVWYQI.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\kvwyqi

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\system@2o7[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adopt.euroclick[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@msnaccountservices.112.2o7[2].txt

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:09 PM

Posted 24 January 2009 - 09:14 AM

Hello I am moving this from HJT to Am I Infected,as there is no HJT log.. Welcome to bleeping computer.
Let's do a Rootkit Scan.

Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

Disconnect from the Internet or physically unplug you Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.

Please navigate to the download page of Avira AntiRootkit and click on Download to save it to your Destop.
  • You should now find a file called: antivir_rootkit.zip on your Desktop.
  • Extract the file to your Desktop (you may then delete the zip file).
  • You should now have a folder with Setup.exe and some other files within it on your Desktop.
  • Double-click Setup.exe.
  • Click Next.
  • Highlight the radio button to acceppt the license agreement and then click Next.
  • Then click Next and Install to finalise the installation process.
  • Click Finish (you may now also delete the folder with the extracted files from the zip archive)
You successfully installed Avira AntiRootkit!
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select: Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run
  • Click View report and copy the entire contents into your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 rossmc

rossmc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 25 January 2009 - 02:55 PM

Hi Boopme

Did as asked and ran the Avira Antirootkit scan, nothing showed up (see below).

However I ran an AVG scan afterwards and the rootkit nasties were found there (see below).

I opened up the virus vault on AVG and the following items are in it (the one in bold coming from the scan I did this evening):

Trojan horse Downloader.Generic_r.BJ
C:\Documents and Setting \LocalService \Local Settings \Temporary Internet Files \Content.IE5\QA04B79S\nws32[1].exe
Date: 21/01/2009

Trojan horse Adload_r.FQ
C:\WINDOWS\System32\svchost.exe:ext.exe
Date: 22/01/09

Trojan horse Downloader.Generic_r.BJ
C:\Documents and Setting \LocalService \Local Settings \Temporary Internet Files \Content.IE5\QA04B79S\nws32[1].exe
Date: 22/01/2009

Trojan horse Downloader.Generic_r.BJ
C:\WINDOWS\TEMP\560740478exe
Date: 23/01/2009

Trojan horse Downloader.Generic_r.BJ
C:\WINDOWS\TEMP\473132328exe
Date: 23/01/2009

Trojan horse Downloader.Generic_r.BJ
C:\WINDOWS\TEMP\966498719exe
Date: 23/01/2009

Trojan horse Downloader.Generic_r.BJ
C:\SDFix\backups\catchme.zip
Date: 25/01/2009



Avira AntiRootkit Tool - Beta (1.0.1.17)

========================================================================================================
- Scan started 25 January 2009 - 14:39:53
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 74.52 GB
- Working disk free size : 49.70 GB (66 %)
--------------------------------------------------------------------------------------------------------

Scan task finished. No hidden objects detected!

--------------------------------------------------------------------------------------------------------
Files: 0/113762
Registry items: 0/230851
Processes: 0/30
Scan time: 00:20:42
--------------------------------------------------------------------------------------------------------
Active processes:
- lvzuuaur.exe (PID 1524) (Avira AntiRootkit Tool - Beta)
- GoogleUpdate.exe (PID 468)
- System (PID 4)
- smss.exe (PID 680)
- csrss.exe (PID 760)
- winlogon.exe (PID 792)
- services.exe (PID 844)
- lsass.exe (PID 856)
- ati2evxx.exe (PID 1044)
- svchost.exe (PID 1060)
- svchost.exe (PID 1156)
- MsMpEng.exe (PID 1192)
- svchost.exe (PID 1252)
- svchost.exe (PID 1356)
- ati2evxx.exe (PID 1464)
- explorer.exe (PID 1516)
- svchost.exe (PID 1632)
- svchost.exe (PID 1728)
- spoolsv.exe (PID 204)
- openvpnas.exe (PID 372)
- jqs.exe (PID 496)
- svchost.exe (PID 568)
- wmiprvse.exe (PID 1328)
- alg.exe (PID 1348)
- SynTPEnh.exe (PID 2452)
- eabservr.exe (PID 2460)
- HP Wireless Assistant.exe (PID 2528)
- ctfmon.exe (PID 2656)
- hpqwmi.exe (PID 2808)
- avirarkd.exe (PID 2604)
========================================================================================================
- Scan finished 25 January 2009 - 15:00:36
========================================================================================================


AVG Scan - 25th Feb

"Scan ""Scan whole computer"" was finished."
"Infections found:";"2"
"Infected objects removed or healed:";"2"
"Not removed or healed:";"0"
"Spyware found:";"0"
"Spyware removed:";"0"
"Not removed:";"0"
"Warnings count:";"52"
"Information count:";"0"
"Scan started:";"25 January 2009, 15:08:21"
"Scan finished:";"25 January 2009, 18:45:26 (3 hour(s) 37 minute(s) 5 second(s))"
"Total object scanned:";"565719"
"User who launched the scan:";"john"

"Infections"
"File";"Infection";"Result"
"C:\SDFix\backups\catchme.zip";"Trojan horse Rootkit-Agent.AV";"Moved to Virus Vault"
"C:\SDFix\backups\catchme.zip:\ATI5IPXX.sys";"Trojan horse Rootkit-Agent.AV";"Moved to Virus Vault"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\casalemedia.com.1773afc";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\casalemedia.com.80ad4799";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\casalemedia.com.8c65eddd";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\casalemedia.com.987e6b46";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\tacoda.net.5935e89";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\ytfbwc82.default\cookies.txt:\tacoda.net.ed9c50d1";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@adbrite[2].txt";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@adbrite[2].txt:\adbrite.com.44f92a69";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@adbrite[2].txt:\adbrite.com.557c9f74";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@adbrite[2].txt:\adbrite.com.71beeff9";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@adbrite[2].txt:\adbrite.com.d5e309c2";"Found Tracking cookie.Adbrite";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@advertising[2].txt";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@advertising[2].txt:\advertising.com.1820df7a";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@advertising[2].txt:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@advertising[2].txt:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@advertising[2].txt:\advertising.com.f62113d5";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@bs.serving-sys[1].txt";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@bs.serving-sys[1].txt:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@doubleclick[2].txt";"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@doubleclick[2].txt:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@mediaplex[1].txt";"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@mediaplex[1].txt:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@revsci[2].txt";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@revsci[2].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@revsci[2].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@revsci[2].txt:\revsci.net.e936b9b1";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@revsci[2].txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@serving-sys[1].txt";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@serving-sys[1].txt:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@serving-sys[1].txt:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@serving-sys[1].txt:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@serving-sys[1].txt:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@serving-sys[1].txt:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@serving-sys[1].txt:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@statcounter[1].txt";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@statcounter[1].txt:\statcounter.com.aa9f2fda";"Found Tracking cookie.Statcounter";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@tribalfusion[2].txt";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
"C:\Documents and Settings\john\Cookies\john@tribalfusion[2].txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"


Any advice on what to do next is greatly appreciated mate!

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:09 PM

Posted 25 January 2009 - 03:22 PM

"Infections"
"File";"Infection";"Result"
"C:\SDFix\backups\catchme.zip";"Trojan horse Rootkit-Agent.AV";"Moved to Virus Vault"
"C:\SDFix\backups\catchme.zip:\ATI5IPXX.sys";"Trojan horse Rootkit-Agent.AV";"Moved to Virus Vault"


looks like sdfix was the one that caught the rootkit
Chewy

No. Try not. Do... or do not. There is no try.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:09 PM

Posted 25 January 2009 - 03:48 PM

Yes as DaChew said SDFix pulled it the other items are in your AVG quarantine and cannot harm your PC. \Please do anther MBAM scan.

RERUN MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 rossmc

rossmc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 25 January 2009 - 08:04 PM

Here's the MAM Scan (below).

Nothing seems to have turned up in it but I did run an MAM Scan, which again didn't pick up any nasties, before the AVG Scan listed in my previous post.

Is there another scan I can do to double check?

Also, I'm not entirely sure what to do with the virus vault in AVG. Do I just hit 'empty virus vault'?

Thanks for the help so far guys.

Malwarebytes' Anti-Malware 1.33
Database version: 1693
Windows 5.1.2600 Service Pack 3

26/01/2009 01:00:21
mbam-log-2009-01-26 (01-00-21).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 105671
Time elapsed: 1 hour(s), 40 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:09 PM

Posted 25 January 2009 - 09:45 PM

OK so we've run MBAM and scans with 0 results an d AVG with results. Now an MBam again with 0. Now please do another AVG,thanks. We can do other things but first would like to be certain AVG sees it.


Actually let's get a second opinion from Kaspersky..
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 rossmc

rossmc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 26 January 2009 - 06:22 PM

Hi

Here's the Kapersky scan (below), nothing seems to be showing up.

When you said the SDFix pulled the other rootkit.dropper/botnet does that mean it managed to delete it ok?

Also, AVG Free found two rootkits, moved them to the virus vault and seems to have deleted them fine. I didn't actually know AVG could scan for rootkits as the 'rootkit' tick box is blanked out and cannot be 'ticked' on my free version of AVG.

Are there any further, deeper, scans I can do in safe mode to proper dig out any rootkits left?

Once again...ultra impressed by this site!


KASPERSKY ONLINE SCANNER 7 REPORT

Monday, January 26, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, January 26, 2009 17:36:56
Records in database: 1703269
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 97235
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 02:52:32

No malware has been detected. The scan area is clean.
The selected area was scanned.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:09 PM

Posted 26 January 2009 - 08:13 PM

Hi, yes SDFix did get it. Are there any more issues here?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 rossmc

rossmc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 28 January 2009 - 06:01 AM

Everything seems clean. Even ran a SAS scan in safemode and nothing more than a few tracking cookies showed up. Awesome support boopme!

What I'm still worried about are the implications of having had the 'trojan horse downloader.generic_r.Bj' and the 'rootkit.dropper/botnet' on my computer.

For example is it possible the infections are still there, can someone gain access to my PC, should I change my passwords online and does it mean I'll have to go through the hassle of wiping the HD and reinstalling the OS?

I'm obviously keen to ensure that this doesn't happen again. I've heard the no-script firefox plugin is a good step to take...is there anything else I can do?

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:09 PM

Posted 28 January 2009 - 10:47 AM

Hello, in reality a rootkit/bot can still be there. A full wipe is the only guarantee. You can poat a DDS /HJT log and have them check for you. Since your machine is at least very useable ow and it will take a day or so for them (jammaed up) to get to you. I would still change my passwords from a different PC.

To post the log...Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know it it went OK !
BTW thank you !! and you are most welcome!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 rossmc

rossmc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 28 January 2009 - 11:51 AM

Thanks boopme. I'll get to a new computer and change my passwords. Will it make any difference though if I come back onto this computer and use the new passwords to log into sites, even if I did the actual change elsewhere?

Thanks for the HJT info, really useful guide. The first suggested step is to backup everything, which I'm going to start doing once I know my PC is clean. Is there much point in backing up to my external HD if I think there's still a possible nasty lurking on my PC? i.e. Could I simply transfer the infection onto my external HD by doing a backup?

Sorry if the questions have fairly obvious answers, just want to do everything right!

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:09 PM

Posted 28 January 2009 - 01:26 PM

This is actually hard to answer for certain. Some files are less likely to be infeted than others. Say your word,text,files are likely to be OK but the Application may need to be reinstalled fresh. it is still important to at least have the infected (if so) backup than none. the external files can be checked and cleaned. Then restored to the clean HDD. I think if you're going to post in HJT have them determine the viability of your HDD's infections if present.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users