Jump to content

Rootkit?


Recommended Posts

Hi there

 

Had a virus warning in Avast this afternoon: Threat: Rootkit: Hidden file (in C:\Windows\SoftwareDistribution\Dowload folder), which I accidentally deleted with Avast before having a proper chance to evaluate.

 

I am not getting any further virus messages in either Avast or MalwareBytes Pro, or MalwareBytes Anti-Root kit, but when I first run the latter I get a message "Registry value "AppInit_Dlls" has been found ....".  Note that I have no problem proceeding to run the tool.

 

Could you please assist me to:

 

1) Understand if the "AppInit_Dlls" message is an issue I should be concerned with; and

2) How I can double-check to ensure my system is no longer infected (or perhaps the initial threat was just a false positive?)

 

Thanks for your help.

 

Stephen

 

 

 

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin

Link to post
Share on other sites

Continue:

 

Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop.

 

  • Double click on AdwCleaner.exe to run the tool.
  • Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Uncheck any elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review.
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted (if necessary):
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware,

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced log

 

Next,

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report here

 

Finally..

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Let me see those logs...

 

Kevin

Link to post
Share on other sites

FRST logs do not show anything obviously malicious, I only give new instructions for thorough scans to ensure we`ve missed no remnants of previous infections. If you are considering a re-install of the system obviously that is a better option as you will have a  clean slate, your choice I guess.

Link to post
Share on other sites

Hi Kevin

 

I've uploaded 3 of the files you asked for, but I'm having some issues running the Screen317 program.

 

There seems to be some issue with the file path when I run it from the desktop, so I'm not sure that it is actually scanning, despite the fact it produces a blank report at the end.

 

In regards to the ESET finding, am I correct in assuming that these are not significant issues, since they represent a potential issue only if the software is installed - currently they are just downloaded files sitting in my directory.  Should I simply delete them, or do they need specialist removal?

 

Not quite sure where to go from here with Screen317.

 

Thanks for your help

 

Stephen

AdwCleanerR0.txt

ESET.txt

mbam-log-2013-11-04 (00-19-17).txt

Screen317.pdf

Link to post
Share on other sites

Just ignore Security Checks, could possibly be your security affecting the application. Regarding ESET, yes those installers are potentially bundled with unwanted extras, deleting them is good enough.

 

AdwCleaner need to be run one more time, on completion of the scan select and run the "Clean" function to remove unwanted entries...

 

Let me know if those steps complete, also if any remaining issues or concerns.....

 

Kevin...

Link to post
Share on other sites

Hi Kevin

 

Ran AdwCleaner and have attached report.

 

One final concern I have is when I do a Rootkit scan with Spybot (report attached).

 

I suspect the majority of the files are harmless, but I'm I'm not sure about the hidden file mentioned first in the log (file details in capture attached).

 

Any thoughts?

 

Thanks

 

Stephen

RootAlyzer.131104-0621.txt

post-147735-0-87529000-1383554890_thumb.

AdwCleanerS1.txt

Link to post
Share on other sites

The ADS files are of no significance, the other hidden file I have no idea what that is. Maybe show hidden files and folders so you have access to it, then rename it. Right click on it, select rename, add .bak to the end.

If there is no effect to your system after renaming go back later and delete it.

 

Link for show hidden files/folder instruction if needed:  http://www.bleepingcomputer.com/tutorials/show-hidden-files-in-windows-7/

 

Let me know if any other issues or concerns, if none we can clean up....

Link to post
Share on other sites

Good to here that all is now ok, regarding security this is my own set up,

 

Windows own Firewall, Microsoft Security Essentials and Malwarebytes Pro. Windows FW and MSE are free, MB does also have a free version, however I prefer the pro version as it provides auto updates and realtime protection. Cost is about £20 for a lifetime license.

 

As an extra layer I also use WinPatrol, the free version is adeqaute for general home use. Available here: http://www.winpatrol.com/download.html

 

For my browser I use Firefox with these addons: Web of Trust, Adblock Plus, Flash Block, NoScipt, Ghostery. When Firefox is open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons, use, start, stop or disable those features etc....

Before using NoScript read from this link http://noscript.net/ makes it easy to understand....

 

Understanding Windows 7 Firewall - http://windows.microsoft.com/en-GB/windows7/Understanding-Windows-Firewall-settings

 

Understanding Microsoft Security Essentials - http://www.microsoft.com/en-gb/security/pc-security/mse.aspx

 

Understanding Malwarebytes, how to create an exclusion in MSE - http://forums.malwarebytes.org/index.php?showtopic=10138&st=0&p=162100entry162100

 

Understanding WinPatrol - http://www.winpatrol.com/features.html

 

I also use the Professional version of Sandboxie, I believe there is also free version available. Visit this link http://www.sandboxie.com/ for access to d/l, also make sure to use the "Help and FAQ" option to understand its uses, specifically how to run your browser sandboxed!.

 

Maybe that info will be useful for you,

 

Kevin.....

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.