Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avira Antivir has found a few warnings


  • This topic is locked This topic is locked
18 replies to this topic

#1 Mo_

Mo_

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 12 March 2010 - 11:10 PM

I am not sure where to begin. So, I am starting here, my avira antivir has notfied me that I have about 9 TR/Rootkit.Gen Trojans all located in system 32 folder

not sure what to do so I will ask for help here. My computer doesn't really have any problems. But, one that may be connected to this is sometimes, more specifically today I noticed I had 2 iexplore.exe processes running and I do not run IE at all. Can this be related because I also have trouble updating my IE as it is on IE 6 I have tried to update in the past but it always fails, so I don't use it

I am not quite sure what to do. I have done an Avira scan, and currently doing a MBAM scan. However I did nothing after the avira scan accidentally closed out of the results
Anyways, I need a roadmap. Where should I go from here with my problem of the rootkit trojans? Any help is appreciated.
Thanks, Mo

Edited by Mo_, 12 March 2010 - 11:20 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:04 AM

Posted 12 March 2010 - 11:48 PM

Hello post the MBAM scan log then run the tools below and we'll go from there. is this an XP,Vista W7 machine?? I have an early clas tomorrow and I 'll look back after it.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.



We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Mo_

Mo_
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 13 March 2010 - 12:06 AM

sorry windows xp, I will do the following when mbam is done it has been scanning for 6+ hours. Anyways I will do my best to keep you updated but tomorrow I may be away from my computer for almost all of tomorrow. I should be able to post the logs and then I will probably be away

Edited by Mo_, 13 March 2010 - 12:09 AM.


#4 Mo_

Mo_
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 13 March 2010 - 10:53 AM

here is the mbam log. I am beginning the next steps now. I also noticed when rebooting my computer I have 2 iexplore.exe processes running. Also I use IDM (Internet Download Manager) and it asks me if I want to download some file that ends in .bin , but I keep pressing cancel. This happened when I rebooted. So now I am a little worried this is more serious than I thought because I don't remember these processes before. Plus, when I first decided that something was wrong it was when i was on Mozilla FF and it closed and Avira popped up and said something about a trojan and IDM also said do you want to download this ".bin" file

Sorry if this is confusing, but I can clarify. Anyways I am downloading ATF and SAS now

WELL NOW I AM CURRENTLY IN SAFE MODE AND SCANNING WITH SAS, THANKS SO FAR. I WILL KEEP YOU UPDATED

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3.13.2010 10:45:08 AM
mbam-log-2010-03-13 (10-44-53).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 396760
Time elapsed: 7 hour(s), 20 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: iecsedp.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\iecsedp.dll (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\MOMO\Application Data\avdrn.dat (Malware.Trace) -> No action taken.

Edited by Mo_, 13 March 2010 - 12:37 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:04 AM

Posted 14 March 2010 - 12:45 PM

Hello, did you click "Remove Selected " after that scan... We need an update and rescan here. The SAS and RootRepeal logs too please..

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Mo_

Mo_
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 14 March 2010 - 09:24 PM

No I did not remove selected, but I will redo what you say. SAS has finished I will post a log soon and I am downloading rootrepeal now

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:04 AM

Posted 14 March 2010 - 09:33 PM

Cool ... post all logs please.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Mo_

Mo_
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 14 March 2010 - 09:48 PM

Here is the SAS log. RUNNING rootrepealer now

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/13/2010 at 08:34 PM

Application Version : 4.34.1000

Core Rules Database Version : 4670
Trace Rules Database Version: 2482

Scan type : Complete Scan
Total Scan Time : 07:57:27

Memory items scanned : 224
Memory threats detected : 0
Registry items scanned : 7846
Registry threats detected : 0
File items scanned : 236512
File threats detected : 2

Trojan.Dropper/Start-WV
C:\DOCUMENTS AND SETTINGS\MOMO\START MENU\PROGRAMS\STARTUP\WINESM32.EXE

Trojan.Agent/Gen-HackPatch
C:\PROGRAM FILES\ROSETTA STONE\ROSETTA STONE V3\ROSETTA.STONE.V3.PATCH.EXE

Edited by Mo_, 14 March 2010 - 10:47 PM.


#9 Mo_

Mo_
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 14 March 2010 - 10:59 PM

rootrepeal seems to be stuck on initializing, please wait

it has been about 15-20 min should I restart the PC and try again? or what?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:04 AM

Posted 15 March 2010 - 02:00 PM

Reboot and use Sophos
Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Mo_

Mo_
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 15 March 2010 - 09:07 PM

ok so I will try this instead of rootrepeal

#12 L-DNA

L-DNA

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 16 March 2010 - 03:10 AM

Trojan.Agent/Gen-HackPatch
C:\PROGRAM FILES\ROSETTA STONE\ROSETTA STONE V3\ROSETTA.STONE.V3.PATCH.EXE


ROFL! I wonder where your rootkit came from?
Next time you download torrent files I suggest you sandbox them first.

A good rootkit will be well hidden from windows no matter which tools you use, you need to scan for them outside of windows. I suggest you use a linux recovery cd for this.

Edited by L-DNA, 16 March 2010 - 03:14 AM.


#13 Mo_

Mo_
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 16 March 2010 - 11:35 AM

the scan finished, but all rootkits are removable, however they all say cleanup not recommended for this file

Edited by Mo_, 16 March 2010 - 11:38 AM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:04 AM

Posted 16 March 2010 - 11:50 AM

Ok we will remove them but at BC we remove them in another forum..

And yes we know they are from downloading Cracked software,hopefully they will realize that this time they were firtunate enough ot to have downloaded a PC killer.

DDS LOG
We need a deeper look,please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic from step 9.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Mo_

Mo_
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 16 March 2010 - 11:54 AM

so should I not remove the rootkit files now and move on to that step? should I still post the rootkit log or go straight to that next step?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users