Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I ran search and Destory and found this


  • Please log in to reply
8 replies to this topic

#1 CalusBlade

CalusBlade

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 16 August 2009 - 08:40 AM

Win32.IRCbot.kow

I googled it and people are saying it could be fake. I ran malware quick scan and nothing was found. I am gonna scan with super-anti-spyware after norton. But can anyone conform if its a fake or not?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:43 PM

Posted 16 August 2009 - 09:30 AM

This is possibly a False positive. We should double check it before we take action.
Post the SAS log you get if something is found. IRCbot's are very dangerous so we want to be certain.

Lets' upload this file for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

NOTE:
For submission to a specific anti-virus vendor see Submitting Virus Samples: How to Submit a Virus.


Next I suggest you also run this to be sure..

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 CalusBlade

CalusBlade
  • Topic Starter

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 16 August 2009 - 02:52 PM

SAS found nothing. I'm gonna run safe mode and scan again. Also what does that virus do?

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/16 15:47
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF19C4000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A7E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xF8AFE000 Size: 1664 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0977000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF8A3C000 Size: 5248 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\kenny\local settings\temp\etilqs_cpfbfmuj0n0wefdxbv0o
Status: Allocation size mismatch (API: 32768, Raw: 0)

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x822b5098

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x822b5120

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x821760c0

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x82336118

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x82227090

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8223cb68

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xf1dea350

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x8215b5b0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x82243400

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x82226d90

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x82338188

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x82251420

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8215c508

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x82171af8

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x82391448

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x822465b8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8216f680

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8215a5d8

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8216dcb8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xf1dea580

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x823350e8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8216d418

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf1b22df0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8216d868

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8215acb8

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x821d4888

==EOF==

Edited by CalusBlade, 16 August 2009 - 04:13 PM.


#4 CalusBlade

CalusBlade
  • Topic Starter

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 16 August 2009 - 03:26 PM

btw I don't under stand the jotti part. Is suspect.file a file name? I can't find it.

#5 CalusBlade

CalusBlade
  • Topic Starter

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 17 August 2009 - 07:53 PM

I did a bunch of scans in safe mode and found nothing

#6 CalusBlade

CalusBlade
  • Topic Starter

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 26 August 2009 - 11:26 AM

does this mean everything is fine?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:43 PM

Posted 26 August 2009 - 01:52 PM

Hi, you look OK ,how is it running?

The suspect file Win32.IRCbot.kow,was what I wanted you to upload to jotti for a scan.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 CalusBlade

CalusBlade
  • Topic Starter

  • Members
  • 538 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 26 August 2009 - 07:27 PM

It seems o.k

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:43 PM

Posted 26 August 2009 - 09:07 PM

Ok,then if alll is good.
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users