Jump to content

Possible RootKit infection...plz help


vzfox
 Share

Recommended Posts

All processes killed

========== OTL ==========

Service stllssvr stopped successfully!

Service stllssvr deleted successfully!

File File not found not found.

Service srv8E8 stopped successfully!

Service srv8E8 deleted successfully!

File File not found not found.

Service CLTNetCnService stopped successfully!

Service CLTNetCnService deleted successfully!

File File not found not found.

Service AMPingService stopped successfully!

Service AMPingService deleted successfully!

File File not found not found.

Service ACDaemon stopped successfully!

Service ACDaemon deleted successfully!

File File not found not found.

HKU.DEFAULTSOFTWAREMicrosoftInternet ExplorerMainXMLHTTP_UUID_Default| /E : value set successfully!

HKUS-1-5-18SOFTWAREMicrosoftInternet ExplorerMainXMLHTTP_UUID_Default| /E : value set successfully!

HKUS-1-5-19SOFTWAREMicrosoftInternet ExplorerMainXMLHTTP_UUID_Default| /E : value set successfully!

HKUS-1-5-20SOFTWAREMicrosoftInternet ExplorerMainXMLHTTP_UUID_Default| /E : value set successfully!

HKUS-1-5-21-2894904981-2197855763-2040645093-1000SOFTWAREMicrosoftInternet ExplorerMainXMLHTTP_UUID_Default| /E : value set successfully!

Registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{EB5CEE80-030A-4ED8-8E20-454E9C68380F} not found.

Registry key HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{EB5CEE80-030A-4ED8-8E20-454E9C68380F} not found.

File C:Program FilesBandooPluginsIEieplugin.dll not found.

Registry value HKEY_USERSS-1-5-21-2894904981-2197855763-2040645093-1000SoftwareMicrosoftInternet ExplorerToolbarWebBrowser{30F9B915-B755-4826-820B-08FBA6BD249D} deleted successfully.

Registry key HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{30F9B915-B755-4826-820B-08FBA6BD249D} not found.

Registry value HKEY_USERSS-1-5-21-2894904981-2197855763-2040645093-1000SoftwareMicrosoftInternet ExplorerToolbarWebBrowser{B9D63C58-90CC-428B-8D3B-CBB88EB07E7E} deleted successfully.

Registry key HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{B9D63C58-90CC-428B-8D3B-CBB88EB07E7E} not found.

Registry value HKEY_USERSS-1-5-21-2894904981-2197855763-2040645093-1000SoftwareMicrosoftWindowsCurrentVersionRun deleted successfully.

Registry key HKEY_USERSS-1-5-21-2894904981-2197855763-2040645093-1000SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsadobe.comwww deleted successfully.

Registry key HKEY_USERSS-1-5-21-2894904981-2197855763-2040645093-1000SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainssbcglobal.net deleted successfully.

Registry key HKEY_USERSS-1-5-21-2894904981-2197855763-2040645093-1000SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsturbotax.com deleted successfully.

Registry key HKEY_USERSS-1-5-21-2894904981-2197855763-2040645093-1000SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsvreel.netbeta deleted successfully.

Registry key HKEY_USERSS-1-5-21-2894904981-2197855763-2040645093-1000SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsyahoo.com deleted successfully.

Registry key HKEY_USERSS-1-5-21-2894904981-2197855763-2040645093-1000SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsyahoo.com not found.

Registry key HKEY_USERSS-1-5-21-2894904981-2197855763-2040645093-1000SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsyahoo.com not found.

Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}

C:WindowsDownloaded Program Fileserma.inf not found.

Registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftCode Store DatabaseDistribution Units{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} deleted successfully.

Registry key HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} not found.

Registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} not found.

Registry key HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} not found.

C:Windows048298C9A4D3490B9FF9AB023A9238F3.TMPWiseCustomCalla.dll deleted successfully.

C:Windows048298C9A4D3490B9FF9AB023A9238F3.TMPWiseCustomCalla6.dll deleted successfully.

C:Windows048298C9A4D3490B9FF9AB023A9238F3.TMP folder deleted successfully.

C:Windowshwflzjfujy.tmp deleted successfully.

C:Windowsmsdownld.tmp folder deleted successfully.

C:WindowsSystem32hwflzjfujy.tmp deleted successfully.

C:UsersJay & MelDesktophwflzjfujy.tmp deleted successfully.

C:WindowsSystem32driverslvuvc.hs moved successfully.

C:WindowsSystem32ilghLYHd6.com.b moved successfully.

C:ProgramData444aI44.dat moved successfully.

ADS C:ProgramDataTEMP:DFC5A2B2 deleted successfully.

ADS C:ProgramDataTEMP:0B4227B4 deleted successfully.

ADS C:ProgramDataTEMP:D1B5B4F1 deleted successfully.

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:UsersJay & MelDesktopcmd.bat deleted successfully.

C:UsersJay & MelDesktopcmd.txt deleted successfully.

C:WINDOWStasksAt1.job moved successfully.

C:WINDOWStasksAt10.job moved successfully.

C:WINDOWStasksAt11.job moved successfully.

C:WINDOWStasksAt12.job moved successfully.

C:WINDOWStasksAt13.job moved successfully.

C:WINDOWStasksAt14.job moved successfully.

C:WINDOWStasksAt15.job moved successfully.

C:WINDOWStasksAt16.job moved successfully.

C:WINDOWStasksAt17.job moved successfully.

C:WINDOWStasksAt18.job moved successfully.

C:WINDOWStasksAt19.job moved successfully.

C:WINDOWStasksAt2.job moved successfully.

C:WINDOWStasksAt20.job moved successfully.

C:WINDOWStasksAt21.job moved successfully.

C:WINDOWStasksAt22.job moved successfully.

C:WINDOWStasksAt23.job moved successfully.

C:WINDOWStasksAt24.job moved successfully.

C:WINDOWStasksAt25.job moved successfully.

C:WINDOWStasksAt26.job moved successfully.

C:WINDOWStasksAt27.job moved successfully.

C:WINDOWStasksAt28.job moved successfully.

C:WINDOWStasksAt29.job moved successfully.

C:WINDOWStasksAt3.job moved successfully.

C:WINDOWStasksAt30.job moved successfully.

C:WINDOWStasksAt31.job moved successfully.

C:WINDOWStasksAt32.job moved successfully.

C:WINDOWStasksAt33.job moved successfully.

C:WINDOWStasksAt34.job moved successfully.

C:WINDOWStasksAt35.job moved successfully.

C:WINDOWStasksAt36.job moved successfully.

C:WINDOWStasksAt37.job moved successfully.

C:WINDOWStasksAt38.job moved successfully.

C:WINDOWStasksAt39.job moved successfully.

C:WINDOWStasksAt4.job moved successfully.

C:WINDOWStasksAt40.job moved successfully.

C:WINDOWStasksAt41.job moved successfully.

C:WINDOWStasksAt42.job moved successfully.

C:WINDOWStasksAt43.job moved successfully.

C:WINDOWStasksAt44.job moved successfully.

C:WINDOWStasksAt45.job moved successfully.

C:WINDOWStasksAt46.job moved successfully.

C:WINDOWStasksAt47.job moved successfully.

C:WINDOWStasksAt48.job moved successfully.

C:WINDOWStasksAt5.job moved successfully.

C:WINDOWStasksAt6.job moved successfully.

C:WINDOWStasksAt7.job moved successfully.

C:WINDOWStasksAt8.job moved successfully.

C:WINDOWStasksAt9.job moved successfully.

FileFolder C:Program FilesBandoo not found.

FileFolder C:WINDOWSsystem32driversetchosts not found.

========== REGISTRY ==========

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows"AppInit_DLLs"|"" /E : value set successfully!

Registry key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionApp ManagementARPCacheBandoo not found.

Registry key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorermenuorderstart menu2programsbandoo not found.

Registry key HKEY_LOCAL_MACHINESOFTWAREBandoo deleted successfully.

Registry key HKEY_LOCAL_MACHINESOFTWAREClassesAppIDBandooCore.EXE deleted successfully.

Registry key HKEY_LOCAL_MACHINESOFTWAREClassesBandooCore.BandooCore.1 deleted successfully.

Registry key HKEY_LOCAL_MACHINESOFTWAREClassesBandooCore.BandooCore deleted successfully.

Registry key HKEY_LOCAL_MACHINESOFTWAREClassesBandooCore.ResourcesMngr.1 deleted successfully.

Registry key HKEY_LOCAL_MACHINESOFTWAREClassesBandooCore.ResourcesMngr deleted successfully.

Registry key HKEY_LOCAL_MACHINESOFTWAREClassesBandooCore.SettingsMngr.1 deleted successfully.

Registry key HKEY_LOCAL_MACHINESOFTWAREClassesBandooCore.SettingsMngr deleted successfully.

Registry key HKEY_LOCAL_MACHINESOFTWAREClassesBandooCore.StatisticMngr.1 deleted successfully.

Registry key HKEY_LOCAL_MACHINESOFTWAREClassesBandooCore.StatisticMngr deleted successfully.

========== COMMANDS ==========

HOSTS file reset successfully

 

[EMPTYTEMP]

 

User: All Users

 

User: Default

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 56475 bytes

 

User: Default User

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

 

User: Guest

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 1132483 bytes

->Flash cache emptied: 41690 bytes

 

User: Jay & Mel

->Temp folder emptied: 7860287 bytes

->Temporary Internet Files folder emptied: 470427342 bytes

->Java cache emptied: 214 bytes

->Flash cache emptied: 57980 bytes

 

User: Public

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%System32 .tmp files removed: 0 bytes

%systemroot%System32drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 111163 bytes

%systemroot%system32configsystemprofileLocal SettingsTemp folder emptied: 0 bytes

%systemroot%system32configsystemprofileLocal SettingsTemporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 6887201 bytes

 

Total Files Cleaned = 464.00 mb

 

 

OTL by OldTimer - Version 3.2.31.0 log created on 12202011_064831

FilesFolders moved on Reboot...

Registry entries deleted on Reboot...

Link to comment
Share on other sites

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8402

Windows 6.0.6002 Service Pack 2

Internet Explorer 9.0.8112.16421

12/20/2011 7:06:01 AM

mbam-log-2011-12-20 (07-06-01).txt

Scan type: Quick scan

Objects scanned: 186104

Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to comment
Share on other sites

Hi. :)

 

As of today, my pc seems to be running fine....but MalwareBytes did not detect anything, and its only been one day. Any further things you suggest?

Good...please run the below online scan for me and post the resulting log when complete.

 

ESET Online Scanner:

 

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

 

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

 

  • Please go here to run the scan...Click on Scan Now

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is Not checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:Program FilesESETEsetOnlineScannerlog.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
Link to comment
Share on other sites

Hi. :)

 

I did as instructed but no txt log appeared at the end, and it is now uninstalled. I was able to see that it said no threats were found.

 

Fair play...

 

Vista Startup Repair:

  • Bootup your computer from the Vista DVD.
  • If not sure how to, a very good tutorial can be read here
  • You will have to answer a few basic questions then select the option Repair your computer
  • At the the System Recovery Options screen click Windows Vista to highlight then Next>
  • You should now see the Searching for Problems...
  • Note: If given the option to Perform a System Restore, do not select and cancel the option.
  • If problems found let Startup Repair complete and follow the prompts.
Note: If you do not have a Vista DVD, visit this webpage. Click on How do I use Startup Repair

 

Then scroll down to If Startup Repair is a preinstalled recovery option on your computer and follow the instructions.

 

Vista-System File Checker:

  • Click on Start(Vista Orb).
  • Click on All Programs >> Accessories
  • Right click on Command Prompt and select Run as Administrator.
  • Click on Continue in the UAC prompt.
  • At the Command Prompt C:WindowsSystem32> type in the following exactly:
  • cd c:
  • Then depress the Enter/Return key, then type in the following exactly:
  • sfc /scannow
  • Then depress the Enter/Return key.
Note: This may take awhile to finish. When completed close the Administrator Command Prompt window, via typing Exit then depress the Enter/Return key and reboot your machine.

 

Next:

 

Let myself know when completed the above and how your computer is performing now. Any further symptoms and or problems encountered?

Link to comment
Share on other sites

Notice where it says it found corrupt files, but was unable to fix them....

 

 

Microsoft Windows [Version 6.0.6002]

Copyright © 2006 Microsoft Corporation. All rights reserved.

C:UsersJay & Mel>C:WindowsSystem32

'C:WindowsSystem32' is not recognized as an internal or external command,

operable program or batch file.

C:UsersJay & Mel>cd c:

c:>sfc/scannow

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.

Verification 100% complete.

Windows Resource Protection found corrupt files but was unable to fix some of th

em.

Details are included in the CBS.Log windirLogsCBSCBS.log. For example

C:WindowsLogsCBSCBS.log

c:>

Link to comment
Share on other sites

Hi. :)

 

With regard to this error:-

 

Windows Resource Protection found corrupt files but was unable to fix some of them.

I'm afraid I cannot be of assistance as primarily I only provide Anti-Malware Support and it is outside my sphere of expertise if you will. Basically the Operating System itself is corrupted so you have two options:-

 

1 - Since it appears your machine is now malware free, we can update Java and remove all tools used during the course of the malware removal process and I can refer you to the IT Techs here in the forum to see if they can be of assistance.

 

2 - Perform a reformat and reinstallation of the Windows Operating System.

 

I am sorry I do not have better news for your good self at this time.

Link to comment
Share on other sites

Lets go with option 1....I do not prefer to go thru the hassle of a reformat and to reload most everything back to my pc. I would rather update Java and remove the tools you suggest. If another IT tech can assist me further, that would be great. Thank you for all your assistance thus far :)

Link to comment
Share on other sites

Hi. :)

 

Lets go with option 1....I do not prefer to go thru the hassle of a reformat and to reload most everything back to my pc. I would rather update Java and remove the tools you suggest. If another IT tech can assist me further, that would be great. Thank you for all your assistance thus far :)

Fair play and you're welcome!

 

When completed the below create a new topic in this part of the forum:-

 

User to User Help

 

New Java Installation:

  • Click here to visit Java's website.
  • Scroll down to Java SE 7u2. Click on JRE Download.
  • Check (tick) Java SE Runtime Environment 7 License Agreement box.
  • Click on jre-7u2-windows-i586.exe link next to Windows x86 Offline to download it and save this to your desktop.
  • Right-click on on jre-7u2-windows-i586.exe and select Run as Administrator to install Java.
Uninstall ComboFix:

  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

Clean up with OTL:

  • Right-click OTL and select Run as Administrator to start the program.
  • Close all other programs apart from OTL as this step will require a reboot.
  • On the OTL main screen, depress the CleanUp button.
  • Say Yes to the prompt and then allow the program to reboot your computer.
The above process should clean up and remove the vast majority of scanners used and logs created etc.

 

Any left over merely delete yourself and empty the Recycle Bin.

 

Next:

 

This is a very helpful/useful set of advice from Microsoft: Microsoft Safety & Security Center

 

Any questions? Feel free to ask, if not stay safe!

Link to comment
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

 

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

 

Everyone else please begin a New Topic.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...