Jump to content

Change Mode

Possible Rootkit Infection


Recommended Posts

I'm posting for a friend, after scanning her computer and laptop today, Malwarebytes found what looked like a possible rootkit infection, and I'd like some help with it. The computer is running Windows 7 while the laptop is running Windows Vista, and are connected through a router.

 

There are also 2 or 3 chinese programs that were installed earlier on the computer (and earlier, on the laptop as well), around April 11, 2011. I've tried to get them removed, but I'm not sure if they're gone for good. Please check into those as well, they're in the logs listed as malware.

 

This is the log for the computer:

 

 

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

 

Database version: 7340

 

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

 

7/31/2011 2:15:17 PM

mbam-log-2011-07-31 (14-15-17).txt

 

Scan type: Full scan (C:\|Q:\|)

Objects scanned: 323901

Time elapsed: 33 minute(s), 24 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UUSEE_base (PUP.Uusee) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UUSEE (PUP.Uusee) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

c:\program files (x86)\360\360Safe\360leakfixer.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\360\360Safe\leakrepair.dll (Trojan.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\360\360Safe\ipc\patchcheck.dll (Trojan.Agent) -> Quarantined and deleted successfully.

c:\program files (x86)\common files\uusee\uninst.exe (PUP.Uusee) -> Quarantined and deleted successfully.

c:\program files (x86)\uusee\uninstuusee.exe (PUP.Uusee) -> Quarantined and deleted successfully.

c:\Users\Jamie\AppData\Local\Temp\uuseedownload.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\Users\Jamie\documents\Setups\uusee_setup_2010.exe (PUP.Uusee) -> Quarantined and deleted successfully.

 

This is the one for the laptop:

 

 

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

 

Database version: 7340

 

Windows 6.0.6002 Service Pack 2

Internet Explorer 7.0.6002.18005

 

7/31/2011 4:57:16 PM

mbam-log-2011-07-31 (16-57-16).txt

 

Scan type: Full scan (C:\|D:\|)

Objects scanned: 529648

Time elapsed: 2 hour(s), 28 minute(s), 20 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 4

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

c:\Users\Owner\AppData\Local\Temp\~nsu.tmp\whitesmoke-silent.exe (PUP.BHO) -> Quarantined and deleted successfully.

c:\Users\Owner\AppData\Roaming\thinstall\CSDATA\1000000800002i\svchost.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.

c:\Users\Owner\documents\downloads\uusee_kaba_setup_0.exe (PUP.Uusee) -> Quarantined and deleted successfully.

c:\Users\Owner\documents\downloads\whitesmokewritergeo5002_en.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Link to comment
Share on other sites

Hello cryofinnocence and Welcome to The PIT!!

Please download HiJackThis and save it to it's own folder on your desktop. Now open the program and select to "Do a scan and save a log". After the scan, it will open the log in Notepad; copy/paste the contents of the log into a new thread that you start here > http://forums.pcpitstop.com/index.php?/forum/25-hijackthis-logs/

Please include the Malwarebytes log first, then the HJT log, also please be patient and wait for help there from one of our Trusted Advisors, they are really busy.

 

 

 

 

:geezer:

Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...