Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pandex rootkit


  • Please log in to reply
1 reply to this topic

#1 onebir

onebir

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 29 December 2009 - 06:11 AM

Hello, my computer (winXP SP3) seems to be running perfectly normally, but reading on this forum I found out about Malwarebytes Anti-Malware - and decided to run it as a precaution. It found several infections - not caught by AVG - and was able to deal with them:

Quick scan:

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{54ebd53a-9bc1-480b-966a-843a333ca162} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

After this +ve from a quick scan, I decided to run a full scan:

Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP849\A0109881.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Birone\Local Settings\Application Data\Google\Google Talk Plugin\redirect\googletalkplugin.exe (Trojan.Vundo) -> Quarantined and deleted successfully.


Despite Anti-Malware's removal of the files, this worried me so I decided to scan with lopSD:

--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-29 08:04:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ ROOTKIT !!

Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HOOKSYS]
Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HookSys]
Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_HOOKSYS]
Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_HOOKSYS]
Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOOKSYS]


Risking sounding stupid, does this mean there's an active rootkit pandex infection? (I thought maybe it might be some stray files left over from a previously cleared one, for example.)

What (if anything) do I need to do next? Thanks in advance for any help!

(Apologies if the information here

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:41 PM

Posted 02 January 2010 - 06:01 PM

Hello ,due to the presence of this rootkit you will need to post in the HJT forum. Include your GMER log.

You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users