Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have a rootkit


  • This topic is locked This topic is locked
48 replies to this topic

#31 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:19 PM

Posted 28 September 2011 - 09:59 AM

SH-D- C:\ProgramData\Bureaublad
This is a folder which is identified as System and Hidden.

How to view this folder.
http://www.tech-recipes.com/rx/1521/how_to_view_hidden_and_system_files_and_folders_in_vista

Make sure you do not want to keep this folder and files before deleting it.
===

I want to check further your MBR with this tool.

Please download MBRCheck.exe and save it to your desktop - not a folder on the desktop - save it directly to the desktop.


* Be sure to disable your security programs.
* Double-Click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
* A window will open on your desktop.
* if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
* If nothing unusual is found just press Enter
* A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
* In your next reply, please include the log from MBRChecker.
====

Please post the log.

BC AdBot (Login to Remove)

 


#32 anderlecht

anderlecht
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 29 September 2011 - 04:06 AM

Do you want I press Y and Enter ?

enter doing nothing

Attached Files



#33 anderlecht

anderlecht
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 29 September 2011 - 04:13 AM

Posted Image

#34 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:19 PM

Posted 29 September 2011 - 10:37 AM

This folder
C:\ProgramData\Bureaublad

translate to
c:\programdata\desktop

You will not be able to access this system folder.

===

Before we do anything else is the computer performing OK or do you still have some issues?

#35 anderlecht

anderlecht
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 30 September 2011 - 03:02 AM

Hello nasdaq,

Did you find anything ?

followed registry found it:

HKEY_LOCAL_MACHINE\SOFTWARE\Wilson WindowWare\Settings\WWWBATCH

http://home.mcafee.com/virusinfo/virusprofile.aspx?key=554967#none

The following registry elements have been changed:


HKEY_LOCAL_MACHINE\SOFTWARE\WILSON WINDOWWARE\SETTINGS\WWWBATCH\DLLUSAGE\WB34I = WBDCC34I.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\WILSON WINDOWWARE\SETTINGS\WWWBATCH\MAIN\STATIC = 23

Got it

#36 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:19 PM

Posted 30 September 2011 - 07:19 AM

You did good but I never saw any reference to this string WWWBATCHin your logs.

Where do we stand?

#37 anderlecht

anderlecht
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 30 September 2011 - 08:41 AM

just followed registry not present in a log;

Do you want I uninstall combofix and i run it again in safe mode ?

or what i do ?

#38 anderlecht

anderlecht
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 30 September 2011 - 09:11 AM

réinstalled flash player for firefox don't worked; got this:

404

/cfusion/downloadcenter/about/


java.io.FileNotFoundException: /cfusion/downloadcenter/about/
at jrun.servlet.file.FileServlet.service(FileServlet.java:356)
at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
at jrun.servlet.http.WebService.invokeRunnable(WebService.java:172)
at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)


link google: http://usemywifi.appspot.com/get.adobe.com/javascript:void%280%29

when I click other links; that run to my gmail account ?

#39 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:19 PM

Posted 30 September 2011 - 12:52 PM

I checked further on this entry.
HKEY_LOCAL_MACHINE\SOFTWARE\WILSON WINDOWWARE\SETTINGS\WWWBATCH\DLLUSAGE\WB34I = WBDCC34I.DLL

WBDCC34I.DLL is a process which belongs to WIL DLL from Wilson WindowWare, Inc..
http://winbatch.com/

It should not be a problem
===

404

/cfusion/downloadcenter/about/


Are you using this as a web hosting?
http://www.cfusion.net/

Because I'm not a subscribe I cannot see any of the information of that site.

Did you try to reinstall FireFox?

#40 anderlecht

anderlecht
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 03 October 2011 - 03:02 AM

i don't use cfusion

just my isp Belgacom and securedns from Comodo

didn't yet réinstalled firefox just alwais updated it

#41 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:19 PM

Posted 03 October 2011 - 08:23 AM

There could be some remnant items left in the registry about Java.

Please execute this.

Clean the old registry entries left over by older versions of Java.
Please download JavaRa

Double click JavaRa.exe then click Remove Older Versions.
In Vista and Windows 7 right click the JavaRa.exe and select run as Administrator.

Make sure that all the previous versions of Java are removed.

  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
  • Java 2 Runtime Environment, SE v1.4.2
  • J2SE Runtime Environment 5.0
  • J2SE Runtime Environment 6.0 Update 2, etc...
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.

When done just check for a Firefox update.
Under the Firefox menu > check for update...

#42 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:19 PM

Posted 08 October 2011 - 06:33 AM

Are you still with me?

#43 anderlecht

anderlecht
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 11 October 2011 - 08:00 AM

Yes sorry

nothing to remove, just a problem whith mozilla console;

and mozilla is not running ...

#44 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:19 PM

Posted 11 October 2011 - 01:04 PM

Have you see this page?
http://kb.mozillazine.org/Browser_will_not_start_up

It may help.

#45 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:19 PM

Posted 16 October 2011 - 07:25 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users