« previous next »
Pages: 1 [2]   Go Down

Author Topic: About a rootkit  (Read 7499 times)

0 Members and 1 Guest are viewing this topic.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76035
    • >>> Avast Forum - Deutschsprachiger Bereich <<<
Re: About a rootkit
« Reply #15 on: February 01, 2015, 03:08:05 PM »
Meanwhile, we're way OT here. ;)
Is your main concern the rootkit or the forum settings..!?
Logged
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

REDACTED

  • Guest
Re: About a rootkit
« Reply #16 on: February 01, 2015, 03:15:29 PM »
Got it !
It is in Account Settings, but there is another drop-down menu afterwards, that is called Modify Profile, and Notifications is in there.
Thank you.

(I was notified of an answer while I was writing this, I am going to see ...)
Logged

REDACTED

  • Guest
Re: About a rootkit
« Reply #17 on: February 01, 2015, 03:17:04 PM »
MBAM found something, but is at about one tenth of its scan. I wanted to finish with the forum settings before speaking of this again, because the two topics mixed risked to be unreadable.

« Last Edit: February 01, 2015, 03:19:07 PM by Gloops »
Logged

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76035
    • >>> Avast Forum - Deutschsprachiger Bereich <<<
Re: About a rootkit
« Reply #18 on: February 01, 2015, 03:29:10 PM »
OK, continue with your logs now.
Logged
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

REDACTED

  • Guest
Re: About a rootkit
« Reply #19 on: February 01, 2015, 04:47:54 PM »
So, first the context.
Windows XP Home SP3, 1024MB RAM, 1596 Mhz proc
Online Armor 4.0.0.14 Free (firewall, programs keeper)
Advanced SystemCare 8 (system coherence control : disk, register, shortcuts ...)
Avast Internet Security (all modules activated except firewall)

Beginning of the results :

Malwarebytes Anti-Malware
www.malwarebytes.org


Update, 01/02/2015 13:50:40, SYSTEM, UC00004, Manual, Remediation Database, 2013.10.16.1, 2014.12.6.1,
Update, 01/02/2015 13:50:40, SYSTEM, UC00004, Manual, Rootkit Database, 2014.11.18.1, 2015.1.14.1,
Update, 01/02/2015 13:51:15, SYSTEM, UC00004, Manual, Malware Database, 2014.11.20.6, 2015.2.1.3,

(end)
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 01/02/2015
Scan Time: 13:51:48
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.01.03
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: admin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 774439
Time Elapsed: 2 hr, 45 min, 56 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
Redir.ChercheUs, HKU\S-1-5-21-1745311521-3265096205-4005268043-1007-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MENUEXT\Recherche avec cherche.us, , [53f40712fe8c86b05e59370054b018e8],

Registry Values: 0
(No malicious items detected)

Registry Data: 11
PUM.Hijack.StartMenu, HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),,[3314e3367a109c9a45db9b0fb64f9e62]
PUM.Hijack.StartMenu, HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),,[fe49ec2de8a23ff7c15f8d1d31d4817f]
PUM.Hijack.StartMenu, HKU\S-1-5-21-1745311521-3265096205-4005268043-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),,[2b1c2aefc1c934029090317925e052ae]
PUM.Hijack.StartMenu, HKU\S-1-5-21-1745311521-3265096205-4005268043-1006-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),,[f453c65377138ea8b9678d1d59ac6e92]
Hijack.SearchPage, HKU\S-1-5-21-1745311521-3265096205-4005268043-1007-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Search Page, http://www.cherche.us, Good: (http://www.google.com), Bad: (http://www.cherche.us),,[60e748d1305afc3aaca4fcad27de6a96]
PUM.Hijack.StartMenu, HKU\S-1-5-21-1745311521-3265096205-4005268043-1007-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),,[c384c5546d1d2b0b7fa16b3f986dd12f]
PUM.Hijack.StartMenu, HKU\S-1-5-21-1745311521-3265096205-4005268043-1008-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),,[b69145d4ddad77bf59c76941b94cf10f]
PUM.Hijack.StartMenu, HKU\S-1-5-21-1745311521-3265096205-4005268043-1009-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),,[d0777d9cc8c238feb56b921870957f81]
PUM.Hijack.StartMenu, HKU\S-1-5-21-1745311521-3265096205-4005268043-1010-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),,[6bdce336e7a3c07628f88822b94c9a66]
PUM.Hijack.StartMenu, HKU\S-1-5-21-1745311521-3265096205-4005268043-1041-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),,[27208d8c85054ceabe62eebc09fcb54b]
PUM.Hijack.StartMenu, HKU\S-1-5-21-1745311521-3265096205-4005268043-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),,[0c3b66b3bdcdce684ad69a10b550619f]

Folders: 0
(No malicious items detected)

Files: 4
PUP.Optional.Spigot.A, C:\Program Files\Application _Updater\ApplicationUpdater.exe, , [0047be5b3852d6608649aff89c652fd1],
Rootkit.Agent, C:\WINDOWS\1431312.exe, , [6add63b62a60290ddcbb61546d98a858],
Rootkit.Agent, C:\WINDOWS\8942531.exe, , [f750bb5e92f8063082153e770afb58a8],
PUP.Optional.Conduit.A, C:\Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\ancien.bycojd1pdefault\prefs.js, Good: (), Bad: (user_pref("CT2067599.SearchFromAddressBarUrl", "http://search.conduit.com/ResultsExt.aspx?ctid=CT2067599&SearchSource=2&q=");), ,[2225b7623b4fda5c954443a616efff01]

Physical Sectors: 0
(No malicious items detected)


(end)

Synthesis of MBAM report :
Malicious items detected : 4
Non-malware items detected : 12

Now I am going to look at the next tool.
« Last Edit: February 01, 2015, 05:00:13 PM by Gloops »
Logged

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76035
    • >>> Avast Forum - Deutschsprachiger Bereich <<<
Re: About a rootkit
« Reply #20 on: February 02, 2015, 05:59:09 AM »
Attach your logs, don't copy and paste them. Thanks.
Logged
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

REDACTED

  • Guest
Re: About a rootkit
« Reply #21 on: February 02, 2015, 01:52:29 PM »
Hello,
OK, anyway the other tools directly provide files.
Oh, I did not remember, I thought MBR.dat was part of the logs, and as that type of attachment is not admitted, I have to redo everything.
aswMBR2.txt was recorded after cleaning.
Logged

REDACTED

  • Guest
Re: About a rootkit
« Reply #22 on: February 02, 2015, 01:55:18 PM »
Concerning MBAM I saw I did it too quickly : I was suggested to provide log obtained after cleaning, but saw that once it was done. So I still have to do that it seems. Maybe it will be a good idea to enlighten my message of yesterday with the log, then ?
Logged

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76035
    • >>> Avast Forum - Deutschsprachiger Bereich <<<
Re: About a rootkit
« Reply #23 on: February 02, 2015, 03:24:10 PM »
No need, just wait... ;)
Logged
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: About a rootkit
« Reply #24 on: February 02, 2015, 04:28:35 PM »
Hi nothing dramatic showing at the moment, but let me know how the computer is after this

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-1745311521-3265096205-4005268043-1005 - (No Name) - {B922D405-6D13-4A2B-AE89-08A030DA4402} -  No File
URLSearchHook: HKU\S-1-5-21-1745311521-3265096205-4005268043-1005 - (No Name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} -  No File
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "about:newtab" <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} URL = http://www.crawler.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=60076
SearchScopes: HKU\S-1-5-21-1745311521-3265096205-4005268043-1005 -> {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} URL = http://www.crawler.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=60076
BHO: No Name -> {3049C3E9-B461-4BC5-8870-4C09146192CA} ->  No File
BHO: No Name -> {9D974C8C-6D92-44FB-BEAF-B45A1C0CF17F} ->  No File
BHO: No Name -> {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} ->  No File
BHO: Advanced SystemCare Surfing Protection -> {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> C:\Program Files\IObit\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll (IObit)
Toolbar: HKU\.DEFAULT -> No Name - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} -  No File
Toolbar: HKU\S-1-5-21-1745311521-3265096205-4005268043-1005 -> No Name - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} -  No File
2015-02-01 17:11 - 2014-11-29 06:34 - 00000272 _____ () C:\WINDOWS\Tasks\Driver Booster Update.job
2015-02-01 17:11 - 2014-11-29 06:34 - 00000270 _____ () C:\WINDOWS\Tasks\Driver Booster Scan.job
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
Logged
Pages: 1 [2]   Go Up
« previous next »