Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit Issue - Please Help


  • Please log in to reply
1 reply to this topic

#1 Niles

Niles

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 17 November 2010 - 11:02 AM

Good Afternoon,
This is my first time here and I want to say hi and say thanks in advance for any help / advice I receive. I have been receiving constant messages from the Malware Bytes application that there has been an Ip block to a potentially malicious website. Scanning with Malware Bytes with an up to date definitions file shows up nothing. I ran Hijack this and I could see 2 different processes which looked suspicious as follows (Please see attached Hijack This Log File).

O17 - HKLM\System\CCS\Services\Tcpip\..\{931CA650-E1FE-4533-81F7-4FAD051070B2}: NameServer = 62.40.32.33 8.8.8.8
O23 - Service: 6C2E6096 - Unknown owner - D:\WINDOWS\system32\6C2E6096.exe

I could not kill these processes. Unfortunately (Before finding this great forum) I had broken a major rule by running Combofix (Please see also attached log file).

I am using NOD32 Antivirus which has found nothing also. When using Symantec previously I had been receiving constant messages that I was under Rpcss attack.
I would GREATLy appreciate your help / advice...
My Best Regards,

Nile

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:31 AM

Posted 27 November 2010 - 07:50 AM

Hello Niles

Welcome to BleepingComputer :)
==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users