Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojans/Rootkits..>


  • Please log in to reply
No replies to this topic

#1 IntoTheVoid

IntoTheVoid

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:03 PM

Posted 07 November 2010 - 08:54 AM

SO i was surfing the web on and AVAST popped up notifying me that it detected a virus. I moved it to the chest. It was a rootkit according to avast. I quickly tried to kill my internet connection, and I ran a quick MalwareBytes and it found more stuff. I updated MalwareBytes and did a second quick scan which found nothing. What should i do next??? I have put some logs here, so please let me know what i should do next? Am i still infected.

Avast found the following, which i moved to the chest.

11/6/2010 10:21:19 PM SYSTEM 1380 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\TEMP\317o3oC9.sys" file.



MBAB log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4994

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

11/6/2010 10:49:53 PM
mbam-log-2010-11-06 (22-49-53).txt

Scan type: Quick scan
Objects scanned: 167356
Time elapsed: 12 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.247,93.188.160.247 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9b34f0a6-b982-43cd-b2e3-9453cc320237}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.247,93.188.160.247 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9b34f0a6-b982-43cd-b2e3-9453cc320237}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.247,93.188.160.247 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{abe747dc-842c-4d73-87bf-0f4d51ce329a}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.247,93.188.160.247 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\spool\prtprocs\w32x86\sK55g.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\31q9w1u9 (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sean\Local Settings\Temp\0.5957460035342548.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

----------

ALso While Performing a quick scan using AVAST it found the following ; D:\i386\Apps\App26084\mfu-uscan_eng.exe - Sign of "Win32:Malware-gen" ** I didn't delete/move to chest because i wasn't sure if it was a false positive or not. Please help.

11/7/2010 9:10:56 AM Sean 436 Sign of "Win32:Malware-gen" has been found in "D:\i386\Apps\App26084\mfu-uscan_eng.exe" file.

Edited by IntoTheVoid, 07 November 2010 - 09:18 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users