Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

av pops up saying rootkit


  • This topic is locked This topic is locked
43 replies to this topic

#1 dan786

dan786

  • Members
  • 152 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 08 January 2011 - 06:05 PM

i have scanned with many programs and cant seem to completely clean my pc of virus/what ever is on it. this been happening for at least a few months. the programs that found parts are nod 32, a squared, pc tools av thats it.nod found system tool 2011 rouge program on my pc and asquared found some adware. it very slow right now sometimes not responding. im runing win 7 64bit with 4gb of ram. trend micro hijack this is reporting denied access to host files now after i did a scan.

Attached Files


Edited by dan786, 09 January 2011 - 11:24 AM.

gigabyte 990fxa ud7, amd fx 4100 quadcore , 8gb corsair ram, msi n570gtx pe/oc twin frozer III, pc power cooling950 silencer psu, wd 1tb hd
win 7 prem 64bit


BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:07:33 PM

Posted 12 January 2011 - 05:19 PM

Hi dan786, and welcome to Bleeping Computer.

Download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 dan786

dan786
  • Topic Starter

  • Members
  • 152 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 13 January 2011 - 11:33 AM

i notic webroot spysweeper didnt uninstall at all when i had it

Attached Files


gigabyte 990fxa ud7, amd fx 4100 quadcore , 8gb corsair ram, msi n570gtx pe/oc twin frozer III, pc power cooling950 silencer psu, wd 1tb hd
win 7 prem 64bit


#4 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:07:33 PM

Posted 14 January 2011 - 07:03 AM

Hi again dan786!!.. :)

Logs look ok, no active infection is visible... What problem persists??..

Firstly,
Please run OTL.exe.
  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O4:64bit: - HKLM..\Run: [IntelliPoint] File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
    O28:64bit: - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    :Commands
    [EmptyTemp]
    [EMPTYFLASH]

  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Secondly,
I do not see an antivirus program running on your computer... Without an AV, you have no protection and risk being quickly re-infected... Please install an antivirus program of your choice, run a full system scan with it, and post a log (if possible)... You may want to install one of the antivirus applications I recommend on my site: link

Thirdly, after installing an antivirus software and performing a full system scan with it, please run ComboFix (as it looks like you've run it before):

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Post the log from ComboFix when you've accomplished that.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#5 dan786

dan786
  • Topic Starter

  • Members
  • 152 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 14 January 2011 - 02:49 PM

i had a av but they make my pc lag and use 30-50%cpu useage . i had ad-aware, pc tools av, both make me lag . also i keep geting a trojans in my temp folder. i scan with nod 32 and dr web cureit they both say vir/trojan found in the temp folder in 3files or more depending witch scanner i run first.

gigabyte 990fxa ud7, amd fx 4100 quadcore , 8gb corsair ram, msi n570gtx pe/oc twin frozer III, pc power cooling950 silencer psu, wd 1tb hd
win 7 prem 64bit


#6 dan786

dan786
  • Topic Starter

  • Members
  • 152 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 14 January 2011 - 02:57 PM

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\IntelliPoint deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\control panel\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\control panel\ deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: 22
->Temp folder emptied: 582409227 bytes
->Temporary Internet Files folder emptied: 48587383 bytes
->Java cache emptied: 187538 bytes
->Flash cache emptied: 4302 bytes

User: All Users

User: AppData
->Temp folder emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 30720 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10818496 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 100796 bytes
RecycleBin emptied: 160097104 bytes

Total Files Cleaned = 765.00 mb


[EMPTYFLASH]

User: 22
->Flash cache emptied: 0 bytes

User: All Users

User: AppData

User: Default

User: Default User

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.20.2 log created on 01142011_144447

Files\Folders moved on Reboot...
C:\Users\22\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\22\AppData\Local\Temp\~DF0AD6337F23CB5B75.TMP not found!
File\Folder C:\Users\22\AppData\Local\Temp\~DF452AA4132D9F5CB4.TMP not found!
File\Folder C:\Users\22\AppData\Local\Temp\~DF4C7B897D18F4A7A4.TMP not found!
File\Folder C:\Users\22\AppData\Local\Temp\~DF74AB85BEA75988BC.TMP not found!
File\Folder C:\Users\22\AppData\Local\Temp\~DFC6042F031576E6ED.TMP not found!
File\Folder C:\Users\22\AppData\Local\Temp\~DFCD346829925190BB.TMP not found!
File\Folder C:\Users\22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XIBHNHP0\ai[1].htm not found!
File\Folder C:\Users\22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XIBHNHP0\ai[2].htm not found!
File\Folder C:\Users\22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WB24P4SB\11[1].htm not found!
File\Folder C:\Users\22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WB24P4SB\morestories[2].htm not found!
File\Folder C:\Users\22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WB24P4SB\morestories[3].htm not found!
File\Folder C:\Users\22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KA0NGRK2\ai[1].htm not found!
File\Folder C:\Users\22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KA0NGRK2\facebook_com[1].htm not found!
File\Folder C:\Users\22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KA0NGRK2\index[1].htm not found!
File\Folder C:\Users\22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KA0NGRK2\morestories[1].htm not found!
File\Folder C:\Users\22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KA0NGRK2\topic372340[1].html not found!
File\Folder C:\Users\22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0ZQ4UNCX\morestories[1].htm not found!
C:\Users\22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Users\22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
File\Folder C:\Users\22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K841SDY1\01[1].htm not found!

Registry entries deleted on Reboot...

gigabyte 990fxa ud7, amd fx 4100 quadcore , 8gb corsair ram, msi n570gtx pe/oc twin frozer III, pc power cooling950 silencer psu, wd 1tb hd
win 7 prem 64bit


#7 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:07:33 PM

Posted 15 January 2011 - 11:28 AM

Hi again!.. :)

Post the ComboFix logfile when ready...
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#8 dan786

dan786
  • Topic Starter

  • Members
  • 152 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 15 January 2011 - 12:18 PM

having problems try to find that file. from what i remeber it said it deleted some stuff but no virus or any thing alone those lines was found

gigabyte 990fxa ud7, amd fx 4100 quadcore , 8gb corsair ram, msi n570gtx pe/oc twin frozer III, pc power cooling950 silencer psu, wd 1tb hd
win 7 prem 64bit


#9 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:07:33 PM

Posted 15 January 2011 - 12:42 PM

Hi again!.. :)

Please run the tool - ComboFix, once again - download a fresh copy and run it as instructed in the guide... :)
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#10 dan786

dan786
  • Topic Starter

  • Members
  • 152 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 15 January 2011 - 01:54 PM

deleted another temp thing

almost forgot

Attached Files


gigabyte 990fxa ud7, amd fx 4100 quadcore , 8gb corsair ram, msi n570gtx pe/oc twin frozer III, pc power cooling950 silencer psu, wd 1tb hd
win 7 prem 64bit


#11 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:07:33 PM

Posted 15 January 2011 - 03:07 PM

Hi again dan786!!.. :)

Log looks ok - no active infection is visible in the logs...

This:
...Temp\739E.tmp under Other deletions means that that file resisted deletion - interesting... Could be either malicious or legitimate, however this source classifies it as malware: LPUS.EXE

I'm not sure what the source of it may be... Do names of these files are always the same??..

Please run this scan for me:

  • Download TDSSKiller.zip and extract TDSSKiller.exe to your Desktop.
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
Posted Image

  • If Malicious objects are found, ensure Cure is selected (it should be by default).
  • Click Continue then click Reboot now.
  • Once complete, a log will be produced at the root drive which is typically C:\

    For example, C:\TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Please post that log here.

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#12 dan786

dan786
  • Topic Starter

  • Members
  • 152 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 15 January 2011 - 03:29 PM

i ran that like 5times both kaspersky and sysmantec version and nothing found

gigabyte 990fxa ud7, amd fx 4100 quadcore , 8gb corsair ram, msi n570gtx pe/oc twin frozer III, pc power cooling950 silencer psu, wd 1tb hd
win 7 prem 64bit


#13 dan786

dan786
  • Topic Starter

  • Members
  • 152 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 15 January 2011 - 03:33 PM

Attached File  TDSSKiller.2.4.12.0_15.01.2011_15.29.09_log.txt   58.48KB   1 downloads

gigabyte 990fxa ud7, amd fx 4100 quadcore , 8gb corsair ram, msi n570gtx pe/oc twin frozer III, pc power cooling950 silencer psu, wd 1tb hd
win 7 prem 64bit


#14 dan786

dan786
  • Topic Starter

  • Members
  • 152 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 15 January 2011 - 03:46 PM

i try install prevx but it say i need admin rights when im on a admin account

gigabyte 990fxa ud7, amd fx 4100 quadcore , 8gb corsair ram, msi n570gtx pe/oc twin frozer III, pc power cooling950 silencer psu, wd 1tb hd
win 7 prem 64bit


#15 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:07:33 PM

Posted 15 January 2011 - 05:53 PM

Hi again dan786!!.. :)

i try install prevx but it say i need admin rights when im on a admin account

Usually, that can be resolved by right-clicking on that file and choosing: Run as administrator... However, I don't think running that program is necessary - deleting that temporary file is pointless, unless we find a loader - which can be either an infected website (Avast!' web shield should be able to block it) or some different source...

Please answer my question:

Do names of these files are always the same??..

Another question: if Eset or BitDefender or any different scanner delete a file (or files) from that location, what is the detection (the name of a "virus")??..

If the names are different, please see if these files are created after reboot or after running a computer for some time, for example after browsing a web a little...
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users