Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Generic RootKit Virus, need help


  • Please log in to reply
16 replies to this topic

#1 Evoni

Evoni

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 07 May 2009 - 07:44 PM

I've been trying to fix this for 2 days with some improvement but it keeps returning. Went to a website doing research on what I though was a innocent enough topic, (not a porn site) and next thing I know Mcafee is alerting me to programs wanting to do something and of course I clicked on no, but still got loaded with the virus. Running a scan on Mcafee showed some problems but after using it to clean, I found that I couldn't log on with my browsers. Finally figured out the virus had put proxies on them and change those back to their usual setting on IE and FireFox.

Then ran malware bytes and found more stuff infected. The logs indicate it cleans them up, but then says it has to reboot to take care of one or more of them, but after rebooting Mcafee starts giving our warning messages such as:

Generic Rootkit Windows/system32/drivers/nicsk32.sys

I've run Malware quite a few times with the same results and the longer between scans and the limited clean up it does the more infected files that it discovers on the next scan and also the slower the computer runs and takes a long time to open word docs, etc...

Where do I go from this point to try and get this fixed? Thanks!

This is the last Malware log:

Malwarebytes' Anti-Malware 1.36
Database version: 2085
Windows 5.1.2600 Service Pack 3

5/7/2009 5:24:05 PM
mbam-log-2009-05-07 (17-24-05).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 195354
Time elapsed: 46 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\i386si.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 Evoni

Evoni
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 07 May 2009 - 07:48 PM

Sorry, forgot to add that I'm on Windows XP.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:43 AM

Posted 07 May 2009 - 07:50 PM

Hello and welcome.
Rootkit scanning

Before performing a Anti rootkit scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

Disconnect from the Internet or physically unplug you Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
>>>>>>>>>>>>>>>>>>>>>
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Evoni

Evoni
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 08 May 2009 - 03:40 PM

I did as instructed and the scan took about 7 hours. Unfortunately I accidentally hit scan again instead of save and lost the first scan log. I then had it do it during the night while I was asleep but found the computer had rebooted itself for some reason and I had to do it again this morning. The scan this time took about 4 hours. However the log file is very small and the first one that I lost was longer.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-08 13:10:55
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.15 ----

.text pci.sys F759754E 1 Byte [88]
.text pci.sys F7597557 1 Byte [7F]
.text pci.sys F7597569 1 Byte [29]
.text pci.sys F75975B7 1 Byte [E9]
.text pci.sys F759776A 1 Byte [6C]
.text ...

---- EOF - GMER 1.0.15 ----

#5 Evoni

Evoni
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 08 May 2009 - 04:36 PM

I just ran Malwarebytes' Anti-Malware 1.36 and this time it didn't' find anything. Does that mean that GMer might have solved the problem on that first go around when I failed to save the log? I didn't see any messages from it about cleaning or anything.

Latest Log:

Malwarebytes' Anti-Malware 1.36
Database version: 2085
Windows 5.1.2600 Service Pack 3

5/8/2009 2:29:41 PM
mbam-log-2009-05-08 (14-29-41).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 195932
Time elapsed: 48 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Evoni

Evoni
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 08 May 2009 - 05:33 PM

Looks like my problems aren't over. I reinstalled McAfee after disabling it for Gmer and about 10 minutes after reinstalling and without me going to any websites except yahoo email and then Mcafee, I got a quick pop up from McAfee that said something about a Artemis trojan that it blocked. However the pop up went away too quickly to write down exactly what it said.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:43 AM

Posted 08 May 2009 - 05:34 PM

It should have . Let's see if something else is here.

Run ATF and SAS:
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Evoni

Evoni
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 08 May 2009 - 06:47 PM

I haven't completed your latest instructions because I was running a full scan with Mcafee. Mcafee found 4 things.

One was Artemis! 72E8619CB31D

Second item: Artemis!11356AFC9E3B

3rd item: Artemis! 1A572A4C11BD

4th item: W32/Spybot.worm!e

Please reply back and let me know if your instructions stand as it, or if the above information changes what I should do.

Thanks.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:43 AM

Posted 08 May 2009 - 07:14 PM

The Spybot worm has a large family. We will need to run another tool also I suspect. Will wait for SAS log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Evoni

Evoni
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 08 May 2009 - 10:29 PM

SUPERAntispyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/08/2009 at 07:56 PM

Application Version : 4.26.1002

Core Rules Database Version : 3884
Trace Rules Database Version: 1832

Scan type : Complete Scan
Total Scan Time : 01:22:13

Memory items scanned : 243
Memory threats detected : 0
Registry items scanned : 5860
Registry threats detected : 14
File items scanned : 30290
File threats detected : 11

Adware.SideStep Toolbar
HKLM\Software\Classes\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}
HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}
HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}
HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\Implemented Categories
HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\InprocServer32
HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\InprocServer32#ThreadingModel
C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE028.DLL
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}
HKU\S-1-5-21-1214440339-1788223648-725345543-1003\Software\Microsoft\Internet Explorer\Explorer Bars\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}

Rogue.Component/Trace
HKLM\Software\Microsoft\C0C77A21
HKLM\Software\Microsoft\C0C77A21#c0c77a21
HKLM\Software\Microsoft\C0C77A21#Version
HKLM\Software\Microsoft\C0C77A21#c0c7d7a1
HKLM\Software\Microsoft\C0C77A21#c0c7be44

Adware.Tracking Cookie
.atwola.com [ C:\Documents and Settings\Diana\Application Data\Mozilla\Profiles\default\x9s9lpx6.slt\cookies.txt ]
.edge.ru4.com [ C:\Documents and Settings\Diana\Application Data\Mozilla\Profiles\default\x9s9lpx6.slt\cookies.txt ]
.jhot.cjt1.net [ C:\Documents and Settings\Diana\Application Data\Mozilla\Profiles\default\x9s9lpx6.slt\cookies.txt ]
.jhot.cjt1.net [ C:\Documents and Settings\Diana\Application Data\Mozilla\Profiles\default\x9s9lpx6.slt\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Diana\Application Data\Mozilla\Profiles\default\x9s9lpx6.slt\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Diana\Application Data\Mozilla\Profiles\default\x9s9lpx6.slt\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Diana\Application Data\Mozilla\Profiles\default\x9s9lpx6.slt\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Diana\Application Data\Mozilla\Profiles\default\x9s9lpx6.slt\cookies.txt ]
ad.trafficmp.com [ C:\Documents and Settings\Diana\Application Data\Mozilla\Profiles\default\x9s9lpx6.slt\cookies.txt ]
one.123counters.com [ C:\Documents and Settings\Diana\Application Data\Mozilla\Profiles\default\x9s9lpx6.slt\cookies.txt ]


Where do I go from here? Thanks!

#11 Evoni

Evoni
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 09 May 2009 - 12:08 PM

Currently I'm holding the computer in safe mode, while borrowing my son's laptop. Any ideas what I should do next? Thanks!

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:43 AM

Posted 09 May 2009 - 12:20 PM

Hello almost done I believe.. SDFix runs best in safe mode.
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.


Then we should Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Evoni

Evoni
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 09 May 2009 - 04:18 PM

Here's the SDFix log. I will now start MBAM again and post anything I learn from that. Are these hidden files part of my problem?

SDFix: Version 1.240
Run by Diana on Sat 05/09/2009 at 01:44 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFIX

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-09 14:04:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\1125416440\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1125416440\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Thu 11 Sep 2008 1,977 ...HR --- "C:\found.002\dir0001.chk\securom_v7_01.bak"
Fri 14 Nov 2003 19,968 A..H. --- "C:\MyOldDrive\Biology Labs\~WRL1931.tmp"
Mon 7 Jun 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 18 Jan 2004 102,400 A..H. --- "C:\MyOldDrive\Desktop\las vegas\~WRL0002.tmp"
Sat 9 Mar 2002 40,448 A..H. --- "C:\MyOldDrive\Matt\MattScienceProject\Deciduous Project\~WRL0243.tmp"
Wed 13 Mar 2002 259,072 A..H. --- "C:\MyOldDrive\Matt\MattScienceProject\fresh water\~WRL0001.tmp"
Wed 13 Mar 2002 256,512 A..H. --- "C:\MyOldDrive\Matt\MattScienceProject\fresh water\~WRL0004.tmp"
Wed 1 Oct 2008 2,866 ...HR --- "C:\Documents and Settings\Diana\Application Data\SecuROM\UserData\securom_v7_01.bak"
Mon 9 Oct 2006 196,608 A..H. --- "C:\Documents and Settings\Diana\Desktop\personal\cupertino high school\12 grade\~WRL2249.tmp"
Sun 24 Sep 2006 23,552 A..H. --- "C:\Documents and Settings\Diana\Desktop\personal\cupertino high school\12 grade\~WRL2352.tmp"
Sun 24 Sep 2006 24,064 A..H. --- "C:\Documents and Settings\Diana\Desktop\personal\cupertino high school\12 grade\~WRL2648.tmp"
Sat 25 Feb 2006 57,344 A..H. --- "C:\Documents and Settings\Diana\Desktop\personal\lake tahoe\baltic cruise\~WRL0903.tmp"
Sat 25 Feb 2006 136,192 A..H. --- "C:\Documents and Settings\Diana\Desktop\personal\lake tahoe\baltic cruise\~WRL1473.tmp"
Sat 25 Feb 2006 134,656 A..H. --- "C:\Documents and Settings\Diana\Desktop\personal\lake tahoe\baltic cruise\~WRL1972.tmp"
Sat 25 Feb 2006 99,328 A..H. --- "C:\Documents and Settings\Diana\Desktop\personal\lake tahoe\baltic cruise\~WRL2990.tmp"
Mon 10 Apr 2006 44,032 A..H. --- "C:\Documents and Settings\Diana\Desktop\personal\lake tahoe\baltic cruise\reservations\~WRL0003.tmp"
Wed 12 Apr 2006 46,080 A..H. --- "C:\Documents and Settings\Diana\Desktop\personal\lake tahoe\baltic cruise\reservations\~WRL0056.tmp"
Wed 12 Apr 2006 45,056 A..H. --- "C:\Documents and Settings\Diana\Desktop\personal\lake tahoe\baltic cruise\reservations\~WRL0620.tmp"
Mon 10 Apr 2006 20,480 A..H. --- "C:\Documents and Settings\Diana\Desktop\personal\lake tahoe\baltic cruise\reservations\~WRL0831.tmp"
Wed 12 Apr 2006 45,056 A..H. --- "C:\Documents and Settings\Diana\Desktop\personal\lake tahoe\baltic cruise\reservations\~WRL1758.tmp"
Tue 28 Feb 2006 21,504 A..H. --- "C:\Documents and Settings\Diana\Desktop\personal\lake tahoe\baltic cruise\reservations\~WRL2165.tmp"
Tue 28 Feb 2006 22,016 A..H. --- "C:\Documents and Settings\Diana\Desktop\personal\lake tahoe\baltic cruise\reservations\~WRL3472.tmp"
Wed 12 Apr 2006 20,480 A..H. --- "C:\Documents and Settings\Diana\Desktop\personal\lake tahoe\baltic cruise\reservations\~WRL3795.tmp"

Finished!

#14 Evoni

Evoni
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 09 May 2009 - 05:09 PM

MBAM log too. I ended up doing a full scan with this not a quick one and this is the result. Does this mean I should be clean now?

Malwarebytes' Anti-Malware 1.36
Database version: 2102
Windows 5.1.2600 Service Pack 3

5/9/2009 3:07:25 PM
mbam-log-2009-05-09 (15-07-25).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 194451
Time elapsed: 46 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:43 AM

Posted 09 May 2009 - 05:36 PM

Hello. Well this Artemis is fairly new and took me some time tio get info.. It appears to be a False Positive from new heuristic detection method by McAfee. Some more info on it HERE.

To make sure, we would need to get a sample of the files being flagged. The next the the alerts occur, navigate to the C:\WINDOWS\temp folder and copy the files onto your desktop (or any other folder).


Then submit the file to Virustotal and post back their reply to you here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users