Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.tdss, hijack.startmenu


  • Please log in to reply
4 replies to this topic

#1 gimme2

gimme2

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Location:Tustin, CA
  • Local time:02:47 AM

Posted 06 February 2009 - 02:08 PM

Before asking what should be done with these, I'll ask if there's a list of common HJT or MBAM log results that are false positives. Or perhaps it's safe to delete 100% of all items found.

In any case, here's my MBAM log, with hopes that you analyze these as well as HJT logs. Thanks!
Just thought to add that I'm also running avast! free anti-virus software in real-time.
-------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.33
Database version: 1731
Windows 5.1.2600 Service Pack 3

2/6/2009 9:06:30 AM
mbam-log-2009-02-06 (09-06-23).txt

Scan type: Quick Scan
Objects scanned: 53556
Time elapsed: 7 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Derek Luce\Local Settings\Temp\sVXACjQv.exe.part (Rootkit.TDSS) -> No action taken.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:47 AM

Posted 06 February 2009 - 11:16 PM

Since this is a MalwareBytes log, I am moving this from the HiJack This forum to the Am I Infected forum. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:47 AM

Posted 07 February 2009 - 12:22 AM

This Rootkit can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.

We will do our best to clean the computer of any infections seen on the log.
However, because of the nature of this Trojan, I cannot offer a total
guarantee that there are no remnants left in the system, or that the
computer will be trustworthy.

Many security experts believe that once infected with this type of Trojan,
the best course of action is to reformat and reinstall the Operating System.
Making this decision is based on what the computer is used for, and what
information can be accessed from it.

Knowing the above, let us know if you wish to proceed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 ozeannie

ozeannie

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 12 February 2009 - 08:59 PM

Does your prognosis of the problem and the recommendation which you give apply only if the rootkit is installed - ie if the Hijack.Startmenu is the only thing found, is this part of the same problem? In this particualr case, Hijack.Startmenu was found by malwarebytes and the removal tool was used to remove it - but malwarebytes didn't find the rootkit mentioned (mind you, malwarebytes was run after we had cleaned all temp files) - does this mean the rootkit could have been there and used to access stuff, then removed and therefore not picked up by malwarebytes? Or would Malwarebytes still pick up something of it in the registry even if the temp files had been removed?

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:47 AM

Posted 12 February 2009 - 09:29 PM

Does your prognosis of the problem and the recommendation which you give apply only if the rootkit is installed - ie if the Hijack.Startmenu is the only thing found, is this part of the same problem? In this particualr case, Hijack.Startmenu was found by malwarebytes and the removal tool was used to remove it - but malwarebytes didn't find the rootkit mentioned (mind you, malwarebytes was run after we had cleaned all temp files) - does this mean the rootkit could have been there and used to access stuff, then removed and therefore not picked up by malwarebytes? Or would Malwarebytes still pick up something of it in the registry even if the temp files had been removed?


Please start your own thread and post the logs you have, Hijack.StartMenu is seen with many infections, some not near as nasty as this one
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users