Jump to content

Rootkit.ads having problems removing


mrbunrs
 Share

Recommended Posts

i am experiencing the same problem as another member posted earlier. i've run malware and updated, and rerun malware but each time the log shows the Rootkit.Ads is still there; even after it has been quarantined and highlighted and removed. Help please.

Malwarebytes' Anti-Malware 1.31

Database version: 1497

Windows 5.1.2600 Service Pack 2

13/12/2008 5:22:44 PM

mbam-log-2008-12-13 (17-22-44).txt

Scan type: Quick Scan

Objects scanned: 55249

Time elapsed: 7 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 11

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 13

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\dkauhf.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dkauhf (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati3wbxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ati3wbxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati3wbxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fci (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fci (Rootkit.ADS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\fci (Rootkit.ADS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\icf (Rootkit.ADS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\icf (Rootkit.ADS) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icf (Rootkit.ADS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\dkauhf.dll (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\system32\dkauhf32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\ati3wbxx.sys (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\Temp\BN1EF.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN1F1.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN1F3.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN1F7.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN2.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\BN4.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HIH6HAON\mss32[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QAAMOU3C\mss32[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QAAMOU3C\mss32[2].exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\svchost.exe:ext.exe (Rootkit.ADS) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hello and welcome to MalwareBytes forums.

If your still having the same problems, please do the following basics, but if you are being helped elsewhere already, then please let me know where.

1. Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

3. Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop.

Please include the following logs in your next reply:

DDS.txt

Attach.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.