prairie dog Posted June 22, 2009 ID:92281 Share Posted June 22, 2009 Had a rootkit that MBAM recognized as file str.sys. Could not boot into normal mode. Was able to boot into safe mode and run MBAM which cleared out some issues, but str.sys kept coming back. Ran Prevx 3.0 and went in manually annd deleted everything it detected. everything back to normal. Ran scans with Avira, Hitman, SAS, MBAM, and all are now clean. Can you double check the logs and make sure it is clean. nisLogfile of Trend Micro HijackThis v2.0.2Scan saved at 2:48:18 PM, on 6/22/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Prevx\prevx.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Visioneer\OneTouch 4.0\OtService.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Prevx\prevx.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Yahoo!\Search Protection\SearchProtection.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\CrossLoop\CrossLoopConnect.exeC:\Program Files\CrossLoop\winvnc.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.mcafee.com (HKLM)O15 - Trusted Zone: http://*.mcafee.com (HKLM)O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189182502890O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: McAfee Application Installer Cleanup (0040341245345668) (0040341245345668mcinstcleanup) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\004034~1.EXE (file missing)O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exeO23 - Service: getPlus® Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe--End of file - 7143 bytes Malwarebytes' Anti-Malware 1.38Database version: 2323Windows 5.1.2600 Service Pack 36/22/2009 2:24:37 PMmbam-log-2009-06-22 (14-24-37).txtScan type: Quick ScanObjects scanned: 85598Time elapsed: 5 minute(s), 47 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Staff miekiemoes Posted June 23, 2009 Staff ID:92476 Share Posted June 23, 2009 Hi,Scan again with Hijackthis and check the following orphaned entries in it:O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)Then click the Fix checked button below.The rest looks OK Link to post Share on other sites More sharing options...
prairie dog Posted June 23, 2009 Author ID:92488 Share Posted June 23, 2009 Thanks for the quick reply!! you guys do a great job Link to post Share on other sites More sharing options...
Staff miekiemoes Posted June 23, 2009 Staff ID:92495 Share Posted June 23, 2009 You're most welcome Link to post Share on other sites More sharing options...
Staff miekiemoes Posted July 7, 2009 Staff ID:96308 Share Posted July 7, 2009 Since this issue appears resolved ... this Topic is closed.If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.Everyone else please begin a New Topic. Link to post Share on other sites More sharing options...
Recommended Posts