Author Topic: [SOLVED] Thanks Everyone (Read 4308 times)

YellowFox · « **on:** April 21, 2013, 10:56:58 PM »

Alright so I was using Chrome and I installed an extension I ran chrome in sandbox mode to keep any sort of odd behavior from the extension from doing damage as I checked it in the developer mode to see if it was malicious I found out in the local data section of the extension that there were a bunch of malicious links. After getting rid of the extension out of the sandbox and deleting chrome I moved to firefox however I ran a scan to make sure nothing was infected and Avast! found 2 rootkits inside of the sandboxed version of the browser I told Avast! to delete it and it gave me an access denied error after restarting and running a boot-time scan (which found nothing) I deleted the cache and it now no longer shows up in any of the scans I run. I also ran a check with TDSSkiller, MBAM, and ASWmbr and all 3 found nothing. So does this mean that the sandbox kept the problem from infecting the computer? Also firefox has been running rather sluggishly however this could be due to no script.

New OTL log at the bottom this time It had an extra.

mikaelrask · « **Reply #1 on:** April 22, 2013, 09:21:49 AM »

hey plaese attach those logs too mbam, aswmbr.

http://forum.avast.com/index.php?topic=53253.0

a malware expert will remove f anything comes up in those logs.

YellowFox · « **Reply #2 on:** April 22, 2013, 11:57:12 AM »

Now something more troubling came up however I'm assuming it is a false positive. Today Avast! brought up an alert that Hitman Pro was a rootkit hidden service. I've deleted the program in question to keep Avast from flagging it though I got it from the Surfright site. I'll be posting logs shortly. Do note I run Avast!'s shields at max sensitivity if I need to turn this down please tell me.

YellowFox · « **Reply #3 on:** April 22, 2013, 12:15:15 PM »

Log one from MBAM

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.20.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16540
User :: USER-PC [administrator]

4/22/2013 1:05:41 PM
mbam-log-2013-04-22 (13-05-41).txt

Scan type: Full scan (C:\|D:\|E:\|Q:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 469252
Time elapsed: 1 hour(s), 8 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

polonus · « **Reply #4 on:** April 22, 2013, 12:23:45 PM »

Hitman Pro comes with a hidden rootkit service to address sophisticated rootkits. This program should rather be run under the supervision of a qualified malware remover as the unprofessional use of it could lead to serious damage to your computer. That is why this is generically flagged as a possibly unwanted program. Problem was also addressed in this thread, see: http://forum.avast.com/index.php?topic=100050.0

polonus

YellowFox · « **Reply #5 on:** April 22, 2013, 12:36:31 PM »

So hitman isn't meant for the uneducated person? Alright. Uploading the rest of the logs just in case. Also aswMBR also saved a file called MBR so do I need to upload this too?

polonus · « **Reply #6 on:** April 22, 2013, 12:50:46 PM »

Hi YellowFox,

A qualified malware removal expert here has been made aware of your logs and will soon be looking into the matter. Wait for his instructions and folow these up to the dot. It might take some time as he mostly comes on at night - CET = Greenwich World time . Stay safe and secure both online and offline,

polonus

YellowFox · « **Reply #7 on:** April 22, 2013, 02:14:09 PM »

Thanks Polonus I finished a scan with TDSSkiller and its found nothing. I'll wait for the malware remover before using this computer though.

essexboy · « **Reply #8 on:** April 22, 2013, 04:17:29 PM »

Hi there, nothing untoward showing in the logs, so it looks as though sandbox did its job

Apart from a slow Firefox are there any other problems ?

YellowFox · « **Reply #9 on:** April 22, 2013, 04:23:23 PM »

Nope. Firefox seems to just be Firefox I'm guessing the lack of speed is No Script running. Anyways thanks again Essexboy.

essexboy · « **Reply #10 on:** April 22, 2013, 04:34:04 PM »

My pleasure, run OTL and press the cleanup button to remove the programme and associated files

Author Topic: [SOLVED] Thanks Everyone (Read 4308 times)

YellowFox

[SOLVED] Thanks Everyone

mikaelrask

Re: Two Rootkits in Sandbox Am I safe?

YellowFox

Possible False positive re-running diognostics.

YellowFox

Re: Now possible false positive rootkit detection.

polonus

Re: Now possible false positive rootkit detection.

YellowFox

Re: Now possible false positive rootkit detection.

polonus

Re: Now possible false positive rootkit detection.

YellowFox

Re: Now possible false positive rootkit detection.

essexboy

Re: Now possible false positive rootkit detection.

YellowFox

Re: Now possible false positive rootkit detection.

essexboy

Re: Now possible false positive rootkit detection.