Author Topic: Weird Virus Scan Results (Read 21583 times)

sk8kidamh · « **on:** September 07, 2011, 09:32:34 PM »

I just finished the scan of my computer, and I turned up 53 infected files. They are all Windows\assembly\nativeimages files. Are these actually rootkits? No other virus scan has turned up any results.

C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\b1136d0eb9ce963a7675b0d6cd7c4c4e\Accessibility.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\AspNetMMCExt\3ba6cab6420baf7e6fb4290a10321367\AspNetMMCExt.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\AspNetMMCExt\5f0dd07c65f51bfbb6df9fa4aa0a4cb8\AspNetMMCExt.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\ee61a87ad4a322535b2fb1e9de211fa2\ComSvcConfig.ni.exe [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\ee81e938d05b8f9f4b5e523d64c0e13d\ComSvcConfig.ni.exe [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\4f99fd1b2d217c9950b0e7c053b9e906\CustomMarshalers.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\4a82ab8680409c1dc5a55e26742e8900\dfsvc.ni.exe [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\98231bec15bc95d5b5663158fa4a2091\Microsoft.Build.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\abe1be45214fd65637bfcad0f5885b02\Microsoft.Build.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build.Eng#\61e847fdf448d92159f0655c5011c8eb\Microsoft.Build.Engine.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build.Eng#\97fc5d998a224b1a4c1f5c5db583635c\Microsoft.Build.Engine.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build.Fra#\9fd80f7ed7273ee7e2f49159fc8fbea4\Microsoft.Build.Framework.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build.Fra#\a6ba7e66e3cae6182c69ad4a95bc1bef\Microsoft.Build.Framework.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build.Tas#\5a229d6ec80ae687c61556b4934d8e84\Microsoft.Build.Tasks.v4.0.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build.Tas#\e22dcfda6fcda7f59350bd484d04d777\Microsoft.Build.Tasks.v4.0.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build.Uti#\49cb222730019ddee3188e59aa5db9fa\Microsoft.Build.Utilities.v4.0.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build.Uti#\bec5143986008709fb500f1b8c5ae844\Microsoft.Build.Utilities.v4.0.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\5046c55b7feb9c9156d18fe1d4735480\Microsoft.CSharp.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\882e595affe5d439ca4bb68d671f8fb9\Microsoft.CSharp.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\4351bfa190b7948085e361e0447a9eb8\Microsoft.JScript.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\9f986e23b6ecb48281324d51fdb6e799\Microsoft.JScript.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\1db049ec5e114f426c6537abaabdf6e8\Microsoft.Office.Tools.v4.0.Framework.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\277af6cea61e02c8683cd15c5a33c034\Microsoft.Office.Tools.Excel.Implementation.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\3088424f11014c5b7991ec1e03983c0a\Microsoft.Office.Tools.Common.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\3eaf7a15dd25e9ee599601be502f46d6\Microsoft.Office.Tools.Word.Implementation.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\48e5e323768d3664119898ee02b633ba\Microsoft.Office.Tools.Word.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\547fb16e3bbc589947b25447b11e79b3\Microsoft.Office.Tools.Word.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\615168e04f5fce420bdba6bb995b14dd\Microsoft.Office.Tools.Excel.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\749c82902617a843a4b6b345b721da62\Microsoft.Office.Tools.Outlook.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\778e935ee9d2cdee8be1b7bcefade721\Microsoft.Office.Tools.Word.Implementation.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\9962370ea8a8774c017ddda13759efdd\Microsoft.Office.Tools.Common.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\a8e18b8aa464ee30de1be5fe1e5e1af4\Microsoft.Office.Tools.Excel.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\ac9312d9599ac31cd7a17d4057a5e28d\Microsoft.Office.Tools.Excel.Implementation.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\cc286fd56606e1c45db5a15f7dae85d2\Microsoft.Office.Tools.Outlook.Implementation.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\df1c922544d5a66f00b87ad6e35abb1f\Microsoft.Office.Tools.Common.Implementation.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\e73cff52ba14e1578d04ae6bbee5e135\Microsoft.Office.Tools.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\eaf148dfdd43ad8ee2fc85dadec66af2\Microsoft.Office.Tools.v4.0.Framework.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\ed2a9a466e90c00aec2516c9a58e7ea5\Microsoft.Office.Tools.Outlook.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\ef37db2b085620918646b7f7e1920086\Microsoft.Office.Tools.Common.Implementation.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Office.To#\fc7c6259db6cc012c0d1e7b5a008924c\Microsoft.Office.Tools.Outlook.Implementation.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Transacti#\54d05db00d011c7d8e34613a76156a27\Microsoft.Transactions.Bridge.Dtc.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Transacti#\85e60ede22b298d7e5fcc17757f74ef1\Microsoft.Transactions.Bridge.Dtc.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Transacti#\bcace9b4169e7ec28c0c73ed55df0639\Microsoft.Transactions.Bridge.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Transacti#\e174701b531de21d8a96ea8ea5975000\Microsoft.Transactions.Bridge.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualBas#\2282b71e9ea6da3366b3b81984109382\Microsoft.VisualBasic.Compatibility.Data.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualBas#\4754eb5629d571dac6586602b1f1fbd6\Microsoft.VisualBasic.Compatibility.Data.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualBas#\6bf044858d9641f9b24c4554076e5ae7\Microsoft.VisualBasic.Compatibility.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualBas#\744d38da96091b44ff26a966425f247d\Microsoft.VisualBasic.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualBas#\c386ff5a7c5bfa6b1dfdc6f53119b3a6\Microsoft.VisualBasic.Activities.Compiler.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualBas#\d719ea7ff4729771fd367b5da217e474\Microsoft.VisualBasic.Activities.Compiler.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualBas#\d83a6fc3a6bd96beaa9845201290f292\Microsoft.VisualBasic.ni.dll [L] Rootkit: hidden file (0)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualBas#\faa6383c7b0bdd80f5dd8754e212af37\Microsoft.VisualBasic.Compatibility.ni.dll [L] Rootkit: hidden file (0)

essexboy · « **Reply #1 on:** September 07, 2011, 09:44:46 PM »

There has been a piece of malware hiding in that area - although in a temporary file.. Are you experiencing any problems ?

Pondus · « **Reply #2 on:** September 07, 2011, 09:51:22 PM »

Quote

No other virus scan has turned up any results.

what scan is that.....does it mean you have more then one AV program ?

sk8kidamh · « **Reply #3 on:** September 07, 2011, 09:53:53 PM »

Performance has been standard. My iTunes account was compromised 5-6 days ago. Could this be the cause? Also, should I delete these files, or is there something else?

Yes, I have more than one AV program. Malwarebytes is currently not detecting anything.

Pondus · « **Reply #4 on:** September 07, 2011, 09:59:32 PM »

Quote

Yes, I have more than one AV program. Malwarebytes is currently not detecting anything.

MBAM is OK....and it is not a AV program

essexboy · « **Reply #5 on:** September 07, 2011, 10:03:52 PM »

I can check it out for you, have you been receiving any alerts ?

Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Select All Users
Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs

sk8kidamh · « **Reply #6 on:** September 08, 2011, 12:38:19 AM »

Scan Results (OTL.txt) is attached:

sk8kidamh · « **Reply #7 on:** September 08, 2011, 12:38:56 AM »

Extras.txt is attached to this post (I couldn't post them together)

sk8kidamh · « **Reply #8 on:** September 08, 2011, 03:27:09 AM »

Do I need to paste those to the forum in order to get someone to look at them? If I do It's going to take at least four posts to get all the text in.

Coolmario88 · « **Reply #9 on:** September 08, 2011, 03:30:16 AM »

Quote from: sk8kidamh on September 08, 2011, 03:27:09 AM

Do I need to paste those to the forum in order to get someone to look at them? If I do It's going to take at least four posts to get all the text in.

Attaching is okay. No need to paste the results in 4 posts

Pondus · « **Reply #10 on:** September 08, 2011, 03:31:42 AM »

Essexboy is in bed now, he usually logout at midnight.....remeber he is on UK time

he will be back here at around 08:00pm - 11:59pm UK time

essexboy · « **Reply #11 on:** September 08, 2011, 07:28:54 PM »

No apparent malware showing there although you do have the StartNow Toolbar - did you install it ?

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

sk8kidamh · « **Reply #12 on:** September 09, 2011, 12:11:29 AM »

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-08 18:10:57
Windows 6.1.7601 Service Pack 1
Running: gmer.exe

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0f8dae45eb9
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0f8dae45eb9 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

essexboy · « **Reply #13 on:** September 09, 2011, 07:42:09 PM »

Hmm 'tis a very short log

Are you experiencing any problems ? Does Avast still report them ?

sk8kidamh · « **Reply #14 on:** September 09, 2011, 08:14:33 PM »

Strangely, those files are no longer considered rootkits.

Author Topic: Weird Virus Scan Results (Read 21583 times)

sk8kidamh

Weird Virus Scan Results

essexboy

Re: Weird Virus Scan Results

Pondus

Re: Weird Virus Scan Results

sk8kidamh

Re: Weird Virus Scan Results

Pondus

Re: Weird Virus Scan Results

essexboy

Re: Weird Virus Scan Results

sk8kidamh

Re: Weird Virus Scan Results

sk8kidamh

Re: Weird Virus Scan Results

sk8kidamh

Re: Weird Virus Scan Results

Coolmario88

Re: Weird Virus Scan Results

Pondus

Re: Weird Virus Scan Results

essexboy

Re: Weird Virus Scan Results

sk8kidamh

Re: Weird Virus Scan Results

essexboy

Re: Weird Virus Scan Results

sk8kidamh

Re: Weird Virus Scan Results