Jump to content

rootkit cleanup

cardinal17

By cardinal17
in Resolved Malware Removal Logs

 Share

Recommended Posts

cardinal17

cardinal17

Posted
  • Author
Posted

concerned about this ... from RootRepeal

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/09/28 19:39

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_iaStor.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys

Address: 0xB2366000 Size: 471040 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xAE659000 Size: 49152 File Visible: No Signed: -

Status: -

will run online av now

Link to post
Share on other sites
  • Replies 86
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

cardinal17

cardinal17

Posted
  • Author
Posted

results of kaspersky scan:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Tuesday, September 29, 2009

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Tuesday, September 29, 2009 05:07:50

Records in database: 2934208

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

Scan statistics:

Objects scanned: 148657

Threats found: 5

Infected objects found: 10

Suspicious objects found: 0

Scan duration: 03:16:49

File name / Threat / Threats count

C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\24\bae1618-5d78e696 Infected: Trojan-Downloader.Java.OpenStream.y 1

C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\43\11753b6b-2b8f7647 Infected: Trojan-Downloader.Java.OpenStream.y 1

C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-2cb3845e Infected: Trojan-Downloader.Java.OpenConnection.at 1

C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\58\44eef97a-334ab0c6 Infected: Trojan-Downloader.Java.Agent.f 1

C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfge.class-65499117-4703307c.class Infected: Trojan-Downloader.Java.OpenStream.y 1

C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfgn.class-2a829977-22fe4d04.class Infected: Trojan-Downloader.Java.OpenStream.y 1

C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-775381f0.zip Infected: Trojan-Downloader.Java.Agent.f 1

C:\Downloads\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.273 1

C:\Downloads\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.e 2

Selected area has been scanned.

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted
C:\Downloads\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.273 1

C:\Downloads\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.e 2

This is something you voluntarily installed. So, I'm going to ignore it .. but if you're not using it, might as well uninstall it.

-----------

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@ECHO OFF
CD /D "C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache"
Zip -mS "%~dp0UploadThis.zip" 6.0\24\bae1618-5d78e696 6.0\43\11753b6b-2b8f7647 6.0\57\4839f1b9-2cb3845e 6.0\58\44eef97a-334ab0c6 javapi\v1.0\file\omfge.class-65499117-4703307c.class javapi\v1.0\file\omfgn.class-2a829977-22fe4d04.class javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-775381f0.zip
DEL %0

Save this as fix.bat Choose to "Save type as - All Files"

It should look like this: bat_icon.gif

Double click on fix.bat & allow it to run

It should create a zipped file named UploadThis.zip next to fix.bat. Please upload that file to http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please tell me how the computer behaves now

Link to post
Share on other sites
cardinal17

cardinal17

Posted
  • Author
Posted
This is something you voluntarily installed. So, I'm going to ignore it .. but if you're not using it, might as well uninstall it.

part of a course

Please tell me how the computer behaves now

generally Good

System Event logs dates are incorrect (future) 12/17/2009 for today - clock is correct

App log seems OK

get an error when running msconfig

"An access denied error was returned while attempting to change a service.." (was resetting startup items)

many thanks for your persistence

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted
System Event logs dates are incorrect (future) 12/17/2009 for today - clock is correct

That's probably caused by malware. They like changing dates to confuse the scanners.

"An access denied error was returned while attempting to change a service.." (was resetting startup items)

Did it state which service? I think it's likely to be McAfee related since we have uninstalled it.

Link to post
Share on other sites
cardinal17

cardinal17

Posted
  • Author
Posted
That's probably caused by malware. They like changing dates to confuse the scanners.

Did it state which service? I think it's likely to be McAfee related since we have uninstalled it.

McAfee was reinstalled after the last clean mbam - not comfortable with no AV

no service is identified - many are still stopped ..

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted

Open NOTEPAD.exe and copy/paste the text in the codebox below:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

Save this as fix.reg Choose to "Save type as - All Files"

It should look like this: reg.gif

Double click on fix.reg & allow it to merge into the registry

Reboot the machine and check MSCONFIG. Let me know which service is still disabled.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.