WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Possible infection

2 posters

descriptionPossible infection - Page 1 EmptyRe: Possible infection26th November 2011, 7:31 pm

more_horiz
Hi there


No, problem... The Rootkits were located in

c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{7514BBA2-951B-45A0-BA2B-CA259968C9ED}\_Setup.dll
c:\programdata\Tarma Installer\{7514BBA2-951B-45A0-BA2B-CA259968C9ED}\Setup.dat
c:\programdata\Tarma Installer\{7514BBA2-951B-45A0-BA2B-CA259968C9ED}\Setup.exe
c:\programdata\Tarma Installer\{7514BBA2-951B-45A0-BA2B-CA259968C9ED}\Setup.ico
c:\windows\host32.exe
c:\windows\system32\ntos.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\sysplog.dll
c:\windows\system32\sysplog2.dll
c:\windows\system32\twext.exe

Here is the log foy Sysprot

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 9ADF5000
Module End: 9AE00000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 9AC00000
Module End: 9AC09000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_dumpfve.sys
Service Name: ---
Module Base: 9AC09000
Module End: 9AC1A000
Hidden: Yes

Module Name: \??\C:\Users\voodoo\AppData\Local\Temp\aswMBR.sys
Service Name: aswMBR
Module Base: 9CF1F000
Module End: 9CF2A000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\downloads\temp mp3\Alice Ortt\01 12 Etudes d'exe´cution transcendante, S.139_ No.1 Pre´lude (Presto).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\02 12 Etudes d'exe´cution transcendante, S.139_ No.2 Molto vivace.flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\03 12 Etudes d'exe´cution transcendante, S.139_ No.3 Paysage (Poco adagio).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\04 12 Etudes d'exe´cution transcendante, S.139_ No.4 Mazeppa (Presto).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\05 12 Etudes d'exe´cution transcendante, S.139_ No.5 Feux follets (Allegretto).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\06 12 Etudes d'exe´cution transcendante, S.139_ No.6 Vision (Lento).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\07 12 Etudes d'exe´cution transcendante, S.139_ No.7 Eroica (Allegro).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\08 12 Etudes d'exe´cution transcendante, S.139_ No.8 Wilde Jagd (Presto furioso).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\09 12 Etudes d'exe´cution transcendante, S.139_ No.9 Ricordanza (Andantino).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\10 12 Etudes d'exe´cution transcendante, S.139_ No.10 Allegro agitato molto.flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\11 12 Etudes d'exe´cution transcendante, S.139_ No.11 Harmonies du soir (Andantino).flac
Status: Hidden

Object: C:\downloads\temp mp3\Alice Ortt\12 12 Etudes d'exe´cution transcendante, S.139_ No.12 Chasse neige (Andante con moto).flac
Status: Hidden

Object: C:\My Documents\My Pictures\Helium Music Manager\Album Pictures\Jeno Jandó, piano - FRANZ LISZT_ Complete Piano Music, Vol. 12 - Hungarian Rhapsodies, Volume 1 _ Jeno Jandó.jpg
Status: Hidden

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Object: C:\System Volume Information\WindowsImageBackup\SPPMetadataCache
Status: Access denied

Object: C:\Users\voodoo\AppData\Local\FLVService\YouTube - ?Chopin 24 Preludes Op 28, No 8??.bin
Status: Hidden

Object: C:\Users\voodoo\Downloads\????????????!_2.mp4
Status: Hidden

Object: C:\Windows\CSC\v2.0.6\namespace
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\pq
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\sm
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\temp
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
Status: Access denied




.

descriptionPossible infection - Page 1 EmptyRe: Possible infection26th November 2011, 7:47 pm

more_horiz
What makes you think those are rootkits? They were removed by ComboFix.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the Possible infection - Page 1 EsetOnline button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on Possible infection - Page 1 EsetSmartInstall to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Possible infection - Page 1 EsetSmartInstallDesktopIcon-1 icon on your desktop.

•Check Possible infection - Page 1 EsetAcceptTerms
•Click the Possible infection - Page 1 EsetStart button.
•Accept any security warnings from your browser.
•Check Possible infection - Page 1 EsetScanArchives
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push Possible infection - Page 1 EsetListThreats
•Push Possible infection - Page 1 EsetExport, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the Possible infection - Page 1 EsetBack button.
•Push Possible infection - Page 1 EsetFinish
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

descriptionPossible infection - Page 1 EmptyRe: Possible infection27th November 2011, 1:43 pm

more_horiz
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=3a1d20a23ab10f469208b1d7d061f1d3
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-11-26 09:14:57
# local_time=2011-11-26 09:14:57 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 15578132 15578132 0 0
# compatibility_mode=5893 16776573 100 94 98817 74803980 0 0
# compatibility_mode=8206 39157117 100 93 28468 5644755 0 0
# scanned=176203
# found=0
# cleaned=0
# scan_time=4508
# nod_component=V3 Build:0x30000000
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=3a1d20a23ab10f469208b1d7d061f1d3
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-11-26 09:17:45
# local_time=2011-11-26 09:17:45 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 15582804 15582804 0 0
# compatibility_mode=5893 16776573 100 94 103489 74808652 0 0
# compatibility_mode=8206 39157117 100 93 33140 5649427 0 0
# scanned=191
# found=0
# cleaned=0
# scan_time=4
# nod_component=V3 Build:0x30000000
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=3a1d20a23ab10f469208b1d7d061f1d3
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-11-27 01:37:48
# local_time=2011-11-27 01:37:48 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 15632719 15632719 0 0
# compatibility_mode=5893 16776573 100 94 153404 74858567 0 0
# compatibility_mode=8206 39157117 100 93 83055 5699342 0 0
# scanned=177749
# found=0
# cleaned=0
# scan_time=8892

descriptionPossible infection - Page 1 EmptyRe: Possible infection27th November 2011, 7:02 pm

more_horiz
How's the computer working now? Any other issues?

descriptionPossible infection - Page 1 EmptyRe: Possible infection27th November 2011, 10:00 pm

more_horiz
Still Sluggish..

I've had to do three forced restarts today, due to complete system hangs.
How or what information would of been comprimised with those supposed rootkits?
Obviously Eset isn't up to the job.!

descriptionPossible infection - Page 1 EmptyRe: Possible infection28th November 2011, 1:59 am

more_horiz
How or what information would of been comprimised with those supposed rootkits?

That's nearly impossible to determine but there were no rootkits found on your computer.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*******************************************************
Download BlueScreenView to your desktop.
BlueScreenView
unzip downloaded file and double click on BlueScreenView.exe to run the program.
when scanning is done, go to EDIT - Select All
Go to FILE - SAVE Selected Items, and save the report as BSOD.txt
Open BSOD.txt in Notepad, copy all of the content, and paste it into your next reply.

descriptionPossible infection - Page 1 EmptyRe: Possible infection28th November 2011, 3:41 pm

more_horiz
Results of screen317's Security Check version 0.99.28
Windows 7 Service Pack 1 x86 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
ESET Smart Security
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 26
Java(TM) 7 Update 1
Adobe Flash Player 11.0.1.152
Mozilla Firefox ((3.6.17)) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
``````````End of Log````````````





The results here regarding versions of Firefox and Eset are false, as I have the latest versions of both

There are no *.dmp files either located in the usual locations, and no crashes shown.

descriptionPossible infection - Page 1 EmptyRe: Possible infection28th November 2011, 8:26 pm

more_horiz
Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*******************************************************
You only have 6.25 Gb of free space on your harddrive. Windows requires at least 15% (11.1 Gb) in order to function properly. This could be causing you problems. You should try to free up some space on the C drive. You can do this by uninstall programs you no longer use or need and transferring videos, music and pictures to DVD's or an external drive

descriptionPossible infection - Page 1 EmptyRe: Possible infection28th November 2011, 11:11 pm

more_horiz
Hi

I have checked, and it says the latest version of Java is installed.
I have freed up some diskspace too.

Do you want the JavaRa Log? There were some errors reported

Regards

Last edited by Voods on 28th November 2011, 11:15 pm; edited 1 time in total (Reason for editing : Missed out details)

descriptionPossible infection - Page 1 EmptyRe: Possible infection29th November 2011, 12:06 am

more_horiz
I have checked, and it says the latest version of Java is installed.

You can remove/uninstall the older versions.
I have freed up some diskspace too.

Just be sure to keep 12 Gb of free space.
Do you want the JavaRa Log? There were some errors reported

No. I don't need to see it.
If there are no other issues, we can do some cleanup.

To uninstall ComboFix


  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall


Possible infection - Page 1 Combofix_uninstall_image

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)


  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

****************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
****************************************************
Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

descriptionPossible infection - Page 1 EmptyRe: Possible infection

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum