Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have a Rootkit infection Help!


  • Please log in to reply
No replies to this topic

#1 VoiZod

VoiZod

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 12 November 2010 - 11:28 PM

Hi I hope this is the right thread.

I'm not sure if I should remove these 'hidden ADS' files or not, I did a scan with
Malwarebites extra tools section ADSpy scan (Alt. Data Streams) and some very suspishous files
appeared on the scan pasted below. I Need to know if I should delete them or not.
I did see PAVARK listed at the bottom and was wondering if the 2 file at the top of this report
were related to PAVARK or not. I'm not ecatly sure whats going on in my System Restore folders,
my thoughts are this is a virii of some kind or Microsofts DRM (rootkit) Which I DO want to remove
but have left it alone because it came already installed on my Dell XPS-710 system.

=========================================================

ADSpy Scan

C:\Documents and Settings\All Users\Application Data\TEMP : 5C321E34 (95 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\Documents and Settings\All Users\Application Data\TEMP : 5C321E34 (95 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363477.exe : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363478.dll : crc (19 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363479.dll : crc (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363480.ttf : crc (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363481.ttf : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363482.ttf : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363483.ttf : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363484.ttf : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363485.ttf : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363486.ttf : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363487.ttf : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363488.ttf : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363489.ttf : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363490.ttf : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363491.dir : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363492.manifest : crc (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363493.dll : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363494.dll : crc (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363495.dll : crc (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363497.dll : crc (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363498.dll : crc (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363499.dll : crc (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363500.ini : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363501.dll : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363502.dll : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363503.dll : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363505.dll : crc (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363506.dll : crc (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363507.dll : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363508.dll : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363509.dll : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363510.dll : crc (19 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363511.dll : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363512.dll : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363513.dll : crc (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363514.exe : crc (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363515.dll : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363516.dll : crc (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363517.dll : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363518.dll : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363519.dll : crc (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363520.dll : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363521.ini : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363522.ssm : crc (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363523.dll : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP251\A0363524.dll : crc (21 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\System Volume Information\_restore{02071E9F-DF9A-4EC8-8753-B2B03F7F3942}\RP264\A0382590.exe : License (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)
C:\TMP~\XP-Admin-Tools\Security-Apps\RootkitRemover\PAVARK.exe : License (20 bytes, MD5 D41D8CD98F00B204E9800998ECF8427E)

============================================================

I'm also having other problems when I open prossess explorer I see almost every file has about
30 to 50 entries that say <Pagefile Backed> What does this mean? and how do I fix it?
verious programs and services crash when I try to run them like my Diskeeper program and my Raid service,
invidia Media Shield. I had changed the option to use more resorses to run my Programs from System Cache
in performance options\Advanced 'bottom option'. I just recently changed it back to System Cache.
because I play a lot of online games that require a large cache, BUT I need to be the fastest possible
while playing these games, so thats why I changed it to Programs cause it will make your programs
run faster. Do you see my delema? I need help choosing which one would be better for me use.
and inavertanly possibly causeing these problems too. IDK Please Help. TY.


P.S.

On another note; I have a big question maybe someone could answer which would be of great help to me,...

Is there ANY small Free App. or proggy out there that can Transulate these names into 'Readable text'?
All the 10000's of numbered mixed with letters names, Like (just for example): {Ad344RF34S387SCW33} Some of
these have funny brackets around them mostly found in the registry as well as the names without these brackets,
some are short Example: D456GE3E mostly found in the installed programs folder in Windows,
and some are long, some have extentions on them like:.exe, .dll etc. etc.
mostly found in the System Volume Information folder aka System Restore folders.
IT would be nice if one could read what these files, real names are, 'In English'.


.

Edited by Blade Zephon, 13 November 2010 - 01:22 AM.
Moved from XP to AII. ~BZ


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users