StephenK Posted November 3, 2013 ID:749523 Share Posted November 3, 2013 Hi there Had a virus warning in Avast this afternoon: Threat: Rootkit: Hidden file (in C:\Windows\SoftwareDistribution\Dowload folder), which I accidentally deleted with Avast before having a proper chance to evaluate. I am not getting any further virus messages in either Avast or MalwareBytes Pro, or MalwareBytes Anti-Root kit, but when I first run the latter I get a message "Registry value "AppInit_Dlls" has been found ....". Note that I have no problem proceeding to run the tool. Could you please assist me to: 1) Understand if the "AppInit_Dlls" message is an issue I should be concerned with; and2) How I can double-check to ensure my system is no longer infected (or perhaps the initial threat was just a false positive?) Thanks for your help. Stephen Link to post Share on other sites More sharing options...
Mrk23 Posted November 3, 2013 ID:749527 Share Posted November 3, 2013 This posting removed by moderator as being unauthorized to render assistance in this forum...please carry on with your assistant, kevinf80 Link to post Share on other sites More sharing options...
kevinf80 Posted November 3, 2013 ID:749528 Share Posted November 3, 2013 Hello and P2P/Piracy Warning: If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy. Next, Download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. Kevin Link to post Share on other sites More sharing options...
StephenK Posted November 3, 2013 Author ID:749542 Share Posted November 3, 2013 Thanks for your help. I've also attached a list of the quarantined files from ComboFixComboFix-quarantined-files.txtFRST - old.txtFRST.txt Link to post Share on other sites More sharing options...
StephenK Posted November 3, 2013 Author ID:749543 Share Posted November 3, 2013 Aplogies, missed one of the filesAddition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted November 3, 2013 ID:749548 Share Posted November 3, 2013 Please ignore instructions from Mrk23, that user is not authorized to give advice/help in this forum... I`m looking at your logs and will reply shortly Link to post Share on other sites More sharing options...
kevinf80 Posted November 3, 2013 ID:749560 Share Posted November 3, 2013 Continue: Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop. Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator Click on the Scan button. AdwCleaner will begin...be patient as the scan may take some time to complete. When it's done you'll see: Pending: Uncheck any elements you don't want removed. Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review. Look over the log especially under Files/Folders for any program you want to save. If there's a program you want to save, just uncheck it from AdwCleaner. If you're not sure, post the log for review. If you're ready to clean it all up.....click the Clean button. After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically. Copy and paste the contents of that logfile in your next reply. A copy of that logfile will also be saved in the C:\AdwCleaner folder. Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine To restore an item that has been deleted (if necessary): Go to Tools > Quarantine Manager > check what you want restored > now click on Restore. Next, Run Malwarebytes, Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.Please Update and run a Quick Scan with Malwarebytes Anti-Malware,Make sure that everything is checked, and click Remove Selected on any found items. Post the produced log Next, We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete: Run Eset Online Scanner **Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET. Turn off the real time scanner of any existing antivirus program while performing the online scan click on the Run ESET Online Scanner button Tick the box next to YES, I accept the Terms of Use.Click Start When asked, allow the add/on to be installedClick Start Make sure that the option Remove found threats is unticked Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.Click Scan wait for the virus definitions to be downloaded Wait for the scan to finish When the scan is complete If no threats were found put a checkmark in "Uninstall application on close" close program report to me that nothing was found If threats were found click on "list of threats found" click on "export to text file" and save it as ESET SCAN and save to the desktop Click on back put a checkmark in "Uninstall application on close" click on finish close program copy and paste the report here Finally.. Download Security Check by screen317 from either of the following: http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exeSave it to your Desktop.Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.A Notepad document should open automatically called checkup.txt; please post the contents of that document. Let me see those logs... Kevin Link to post Share on other sites More sharing options...
StephenK Posted November 3, 2013 Author ID:749572 Share Posted November 3, 2013 Will do - thanks for your help. Out of interest, do you think I have a serious problem based on what you've seen? I'd certainly consider reinstalling the OS if you thought that was the case. Link to post Share on other sites More sharing options...
kevinf80 Posted November 3, 2013 ID:749577 Share Posted November 3, 2013 FRST logs do not show anything obviously malicious, I only give new instructions for thorough scans to ensure we`ve missed no remnants of previous infections. If you are considering a re-install of the system obviously that is a better option as you will have a clean slate, your choice I guess. Link to post Share on other sites More sharing options...
StephenK Posted November 3, 2013 Author ID:749579 Share Posted November 3, 2013 Thanks. Will continue as you suggested and see how it goes. Link to post Share on other sites More sharing options...
kevinf80 Posted November 3, 2013 ID:749582 Share Posted November 3, 2013 Sounds ok to me, be aware the ESET online scan is very thorough so will take a few hours to complete. Link to post Share on other sites More sharing options...
StephenK Posted November 4, 2013 Author ID:749778 Share Posted November 4, 2013 Hi Kevin I've uploaded 3 of the files you asked for, but I'm having some issues running the Screen317 program. There seems to be some issue with the file path when I run it from the desktop, so I'm not sure that it is actually scanning, despite the fact it produces a blank report at the end. In regards to the ESET finding, am I correct in assuming that these are not significant issues, since they represent a potential issue only if the software is installed - currently they are just downloaded files sitting in my directory. Should I simply delete them, or do they need specialist removal? Not quite sure where to go from here with Screen317. Thanks for your help StephenAdwCleanerR0.txtESET.txtmbam-log-2013-11-04 (00-19-17).txtScreen317.pdf Link to post Share on other sites More sharing options...
kevinf80 Posted November 4, 2013 ID:749783 Share Posted November 4, 2013 Just ignore Security Checks, could possibly be your security affecting the application. Regarding ESET, yes those installers are potentially bundled with unwanted extras, deleting them is good enough. AdwCleaner need to be run one more time, on completion of the scan select and run the "Clean" function to remove unwanted entries... Let me know if those steps complete, also if any remaining issues or concerns..... Kevin... Link to post Share on other sites More sharing options...
StephenK Posted November 4, 2013 Author ID:749789 Share Posted November 4, 2013 Hi Kevin Ran AdwCleaner and have attached report. One final concern I have is when I do a Rootkit scan with Spybot (report attached). I suspect the majority of the files are harmless, but I'm I'm not sure about the hidden file mentioned first in the log (file details in capture attached). Any thoughts? Thanks StephenRootAlyzer.131104-0621.txtAdwCleanerS1.txt Link to post Share on other sites More sharing options...
kevinf80 Posted November 4, 2013 ID:749831 Share Posted November 4, 2013 The ADS files are of no significance, the other hidden file I have no idea what that is. Maybe show hidden files and folders so you have access to it, then rename it. Right click on it, select rename, add .bak to the end.If there is no effect to your system after renaming go back later and delete it. Link for show hidden files/folder instruction if needed: http://www.bleepingcomputer.com/tutorials/show-hidden-files-in-windows-7/ Let me know if any other issues or concerns, if none we can clean up.... Link to post Share on other sites More sharing options...
StephenK Posted November 4, 2013 Author ID:749935 Share Posted November 4, 2013 Hi Kevin I deleted the file last night and it doesn't seem to have any impact. I think all is good at my end now. Any thoughts on how I should beef up my security to avoid anything in future? Thanks Stephen Link to post Share on other sites More sharing options...
kevinf80 Posted November 4, 2013 ID:749949 Share Posted November 4, 2013 Good to here that all is now ok, regarding security this is my own set up, Windows own Firewall, Microsoft Security Essentials and Malwarebytes Pro. Windows FW and MSE are free, MB does also have a free version, however I prefer the pro version as it provides auto updates and realtime protection. Cost is about £20 for a lifetime license. As an extra layer I also use WinPatrol, the free version is adeqaute for general home use. Available here: http://www.winpatrol.com/download.html For my browser I use Firefox with these addons: Web of Trust, Adblock Plus, Flash Block, NoScipt, Ghostery. When Firefox is open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons, use, start, stop or disable those features etc.... Before using NoScript read from this link http://noscript.net/ makes it easy to understand.... Understanding Windows 7 Firewall - http://windows.microsoft.com/en-GB/windows7/Understanding-Windows-Firewall-settings Understanding Microsoft Security Essentials - http://www.microsoft.com/en-gb/security/pc-security/mse.aspx Understanding Malwarebytes, how to create an exclusion in MSE - http://forums.malwarebytes.org/index.php?showtopic=10138&st=0&p=162100entry162100 Understanding WinPatrol - http://www.winpatrol.com/features.html I also use the Professional version of Sandboxie, I believe there is also free version available. Visit this link http://www.sandboxie.com/ for access to d/l, also make sure to use the "Help and FAQ" option to understand its uses, specifically how to run your browser sandboxed!. Maybe that info will be useful for you, Kevin..... Link to post Share on other sites More sharing options...
StephenK Posted November 4, 2013 Author ID:749952 Share Posted November 4, 2013 Thanks very much for your help Kevin - it's very much appreciated. Link to post Share on other sites More sharing options...
kevinf80 Posted November 4, 2013 ID:749956 Share Posted November 4, 2013 You`re very welcome, glad to help..... Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 5, 2013 Root Admin ID:750097 Share Posted November 5, 2013 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts