Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit and Malwares


  • Please log in to reply
5 replies to this topic

#1 Vay

Vay

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 27 April 2010 - 01:42 PM

I deleted a bunch of malwares and possibly the rootkit when I followed some preliminary instructions on removing malwares. Now someone brought to my attention that I have rootkit, which is something hard to remove and I was directed here after doing DDS and GMER scans.

As mentioned in the topic description, my last malwarebyte scan apparently "quarantined and deleted" a rootkit, but then I was told that rootkits are not easily rid of, so I am here now for expert advice.

DDS LOG

DDS (Ver_10-03-17.01) - NTFSx86
Run by Wei at 20:31:07.83 on Mon 04/26/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_17
Microsoft Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3292.1437 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Dell\MySQL\bin\mysqld.exe
c:\Program Files\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell DataSafe Local Backup\sftservice.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Dell\apache\bin\httpd.exe
C:\Program Files\Common Files\Dell\Remote Access File Sync Service\dsl_fs_sync.exe
C:\Program Files\Common Files\Dell\apache\bin\httpd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Dell DataSafe Local Backup\Components\scheduler\STService.exe
C:\Program Files\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DELL\Printer Software\ErrorApp\DKab1err.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Wei\Program Files\DNA\btdna.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Windows\system32\DKabcoms.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Wei\Downloads\dds(3).scr

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.dogpile.com/
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [DKab1err] c:\program files\dell\printer software\errorapp\DKab1err.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BitTorrent DNA] "c:\users\wei\program files\dna\btdna.exe"
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/5.0_(Windows;_U;_Windows_NT_6.0;_en-US;_rv:1.9.1.5)_Gecko/20091102_Firefox/3.5.5_(.NET_CLR_3.5.30729)" -"file:///E:/bc_campbell_biology_7/medialib/interactivemedia/activities_c6e/H08/H0807/st06/media.html"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Launcher] c:\program files\dell datasafe local backup\components\scheduler\Launcher.exe
mRunOnce: [DSUpdateLauncher] "c:\program files\dell datasafe local backup\components\dsupdate\runhstart.bat"
StartupFolder: c:\users\wei\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\wei\appdata\roaming\mozilla\firefox\profiles\ovtix6px.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\wei\program files\dna\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-24 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2009-9-9 73728]
R2 Apache2.2;Remote Access Media Server;c:\program files\common files\dell\apache\bin\httpd.exe [2007-9-21 15872]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-24 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-10-24 53328]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-10-24 138680]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-18 155648]
R2 dsl-db;Remote Access DB;c:\program files\common files\dell\mysql\bin\mysqld.exe [2007-9-14 5730304]
R2 dsl-fs-sync;Remote Access File Sync Service;c:\program files\common files\dell\remote access file sync service\dsl_fs_sync.exe [2009-4-13 189680]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2009-9-9 27648]
R2 SftService;SoftThinks Agent Service;c:\program files\dell datasafe local backup\SftService.exe [2009-9-9 648432]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-10-24 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-10-24 352920]
R3 dkab_device;dkab_device;c:\windows\system32\dkabcoms.exe -service --> c:\windows\system32\DKabcoms.exe -service [?]
R3 IntcHdmiAddService;Intel High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-9-9 112128]
S2 gupdate1ca4e03df5cd170;Google Update Service (gupdate1ca4e03df5cd170);c:\program files\google\update\GoogleUpdate.exe [2009-10-15 133104]
S3 ActionReplayDS;ActionReplayDS;c:\windows\system32\drivers\ActionReplayDS.sys [2009-11-30 29184]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2010-2-1 25832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2011-01-17 09:39:48 0 d-----w- c:\programdata\NOS
2011-01-17 03:04:38 0 d-----w- c:\program files\PakkISO
2011-01-17 02:57:11 0 d-----w- c:\users\wei\appdata\roaming\fltk.org
2011-01-17 02:12:36 1128 ----a-w- c:\windows\system32\LexFiles.usr
2011-01-12 22:13:37 371 ----a-w- c:\users\wei\Documents - Shortcut.lnk
2010-12-31 22:54:40 0 d-----w- c:\users\wei\appdata\roaming\foobar2000
2010-12-31 22:54:33 0 d-----w- c:\program files\foobar2000
2010-04-26 23:21:40 176 ----a-w- c:\users\wei\defogger_reenable
2010-04-26 17:46:54 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-04-26 17:45:39 0 d-----w- c:\program files\Winamp Detect
2010-04-26 04:58:52 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-26 04:58:34 0 d-----w- c:\users\wei\appdata\roaming\SUPERAntiSpyware.com
2010-04-26 04:58:34 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-26 03:10:21 6156 ----a-w- c:\users\wei\.recently-used.xbel
2010-04-26 01:46:05 243677794 ----a-w- c:\windows\MEMORY.DMP
2010-04-15 00:16:28 184 ----a-w- c:\users\wei\appdata\roaming\wklnhst.dat
2010-04-13 22:26:06 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-13 22:26:05 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-13 22:26:05 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-13 22:26:00 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-13 22:25:59 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-13 22:25:56 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-13 22:25:42 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-13 22:25:42 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-13 22:25:37 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-13 22:25:37 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-13 22:25:37 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-13 22:24:02 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 22:24:00 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-10 23:31:29 0 d-----w- c:\program files\DNA
2010-04-10 21:02:13 279712 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-04-10 21:02:12 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-04-10 20:12:29 0 d-----w- c:\program files\The Witcher Enhanced Edition
2010-04-07 05:42:08 0 d-----w- c:\program files\Vanadis
2010-04-07 05:42:02 304128 ----a-w- c:\windows\IsUn0411.exe
2010-04-07 05:06:27 131072 ----a-w- c:\windows\system32\Ikeext.etl
2010-04-02 22:57:46 0 d-----w- C:\ˆ‚̏—Š•”
2010-04-02 22:47:46 0 d-----w- c:\users\wei\appdata\roaming\NJStar
2010-04-02 22:47:44 0 d-----w- c:\program files\NJStar Japanese WP
2010-04-02 22:37:09 0 d-----w- C:\LUNE
2010-04-02 22:28:50 0 d-----w- c:\program files\DAEMON Tools Lite
2010-03-31 02:44:16 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-31 02:44:13 78336 ----a-w- c:\windows\system32\ieencode.dll

==================== Find3M ====================

2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-19 14:27:04 540672 ----a-w- c:\users\wei\appdata\roaming\DataSafeDotNet.exe
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 08:01:23 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-24 08:01:22 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-24 08:01:22 143360 ----a-w- c:\windows\inf\infstor.dat
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-01-29 23:43:00 39 ----a-w- c:\users\wei\jagex_runescape_preferences.dat
2010-01-29 23:41:43 69 ----a-w- c:\users\wei\jagex_runescape_preferences2.dat
2009-11-17 20:11:54 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-11-22 02:36:29 32768 --sha-w- c:\windows\temp\cookies\index.dat
2009-11-22 02:36:29 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-11-22 02:36:29 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2009-09-09 16:06:21 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 20:32:38.06 ===============

Attached Files


Edited by Budapest, 28 April 2010 - 07:46 PM.
Bump removed ~BP


BC AdBot (Login to Remove)

 


#2 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 01 May 2010 - 09:15 PM

Hello Vay,

So far the only unwanted item showing in these logs are that adware/spyware DAEMON Tools Toolbar (see here). You should be able to uninstall that through Add/Remove Programs without issues. I would like to see what Malwarebytes located though, so open Malwarebytes - Logs tab, double-click the log from the scan you mention, then post those contents back here please.
Ad eundum quo no duck ante iit

#3 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 01 May 2010 - 09:18 PM

Forgot to ask on some items:

2010-04-02 22:57:46 0 d-----w- C:\ˆ‚̏— •”

Microsoft Windows Vista™

Those odd characters may suggest malware, but more often show in forum logs when there are some non-English system references. Is this copy of Windows using a non-English language, or installed software using that?
Ad eundum quo no duck ante iit

#4 Vay

Vay
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 06 May 2010 - 09:00 PM

QUOTE(Jintan @ May 1 2010, 10:18 PM) View Post
Forgot to ask on some items:

2010-04-02 22:57:46 0 d-----w- C:\†€š̏€” €€

Microsoft Windows Vista„

Those odd characters may suggest malware, but more often show in forum logs when there are some non-English system references. Is this copy of Windows using a non-English language, or installed software using that?


Yes, this is non-english.

Edited by Vay, 06 May 2010 - 09:00 PM.


#5 Vay

Vay
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 06 May 2010 - 09:04 PM

QUOTE(Jintan @ May 1 2010, 10:15 PM) View Post
Hello Vay,

So far the only unwanted item showing in these logs are that adware/spyware DAEMON Tools Toolbar (see here). You should be able to uninstall that through Add/Remove Programs without issues. I would like to see what Malwarebytes located though, so open Malwarebytes - Logs tab, double-click the log from the scan you mention, then post those contents back here please.


Here is the malwarebyte log:


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4039

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

4/26/2010 1:25:25 PM
mbam-log-2010-04-26 (13-25-25).txt

Scan type: Quick scan
Objects scanned: 115901
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Wei\AppData\Local\Temp\H8SRTe31f.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
C:\Users\Wei\AppData\Local\Temp\TMP2074.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Wei\AppData\Local\Temp\PRAGMA30d8.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Wei\AppData\Local\Temp\000056bc (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Wei\AppData\Local\Temp\dhdhtrdhdrtr5y (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Wei\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\ProgramData\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Wei\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


#6 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 06 May 2010 - 09:58 PM

Tough rootkit activity there after all. Let's follow up on that track, to make sure the system gets completely cleaned.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 456out.com, then click the renamed 456out.com to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
Ad eundum quo no duck ante iit




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users