Home > Possible Rootkit > Possible Rootkit Activity

Possible Rootkit Activity

I think it is possibly infected with a virus as i also encountered a few Blue Screen of Deaths (BSOD). nothing found Searching for MonKit... Still, being paranoid, I dug deeper. I would only get driver updates directly from the manufacturer or developer and not rely on a 3rd party program to find them for me. Check This Out

nothing found Searching for Omega Worm... nothing found Searching for ESRK rootkit default files... So pasted the log here: http://pastebin.com/WkFTYGdU What are they and why are they here? Also, in case it helps, here is some other possibly related output. http://www.bleepingcomputer.com/forums/t/391971/possible-rootkit-activity-detected/

Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. nothing found Searching for OpticKit... nothing found Searching for Volc rootkit... not found Checking `init'...

  1. But if first you had 4 listings in TDSS and now just a little over 2 hours later it is up to 6, there is a major problem going on there.
  2. It was a fake antivirus, I believe it was called "System Care Antivirus" It wouldn't allow him to open anything and it repeatedly told him that Symantec was infected.
  3. DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

not found Checking `pop3'... Please include the C:\ComboFix.txt in your next reply. not infected Checking `inetd'... CONTRIBUTE TO OUR LEGAL DEFENSE All unused funds will be donated to the Electronic Frontier Foundation (EFF).

Ensure that the Safe Mode option is selected. If we have ever helped you in the past, please consider helping us. Where are the logs from MBA-M Rootkit remover? http://www.techsupportforum.com/forums/f284/possible-rootkit-activity-692852.html Use the 'Add Reply' and add the new log to this thread.

Anyways, as a system introduction, I am running 8.04 ubuntu and have had it for a little over 4 months running now. Any help you all could give me in determining this would be invaluable. R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2002-5-8 212992] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-10 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-10 108392] R2 HP LaserJet Service;HP LaserJet Service;c:\program not infected Checking `telnetd'...

Everyone else please begin a New Topic, after following the steps outlined here: NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum __________________ So, I ran Combofix (I know we shouldn't do that, but I didn't have it fix anything major). not infected Checking `env'... not infected Checking `crontab'...

FF - ProfilePath - d:\documents and settings\wamcd.wamcd01\application data\mozilla\firefox\profiles\o40f8ch2.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=302398&p= FF - plugin: c:\program files\adobe\reader his comment is here Run the scan, enable your A/V and reconnect to the internet. WorldStart Tip And Store Search Today's Big Deals On Sale New Products Featured Products Cool Gadgets Software PC Hardware Music and DVDs Newest Tips Most Popular Tips Highest Rated Tips CT They all say forged file.

Adv Reply April 1st, 2009 #4 BJ_Covert_Action View Profile View Forum Posts Private Message A Carafe of Ubuntu Join Date Dec 2008 Location Oceano, CA Beans 93 DistroUbuntu 8.04 Hardy Blackley,Thomas R. In task manager, I noticed several iexplore.exe processes in Task Manager. http://scvanet.org/possible-rootkit/possible-rootkit-not-exactly-sure-atm.html Mon Mar 30 16:48:12 2009 -> Algorithmic detection enabled.

not found Checking `gpm'... When done, please post the two logs produced they will be in the MBAR folder..... nothing found Searching for rootedoor...

Please copy and paste the contents of that file here.Gringo I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me KnowIf

They may otherwise interfere with our tools. I want you to save it to the desktop and run it from there.Link 1Link 2Link 3 1. but what about the stealth code. >StealthUnknown thread object [ ETHREAD 0x845E2DA8 ] TID: 972Address: 0x845C4850Size: 592Unknown thread object [ ETHREAD 0x83DC7030 ] TID: 3652Address: 0x845A8850 This was what I was AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . ============== Running Processes ================ . . ============== Pseudo HJT Report =============== .

TiptonBegränsad förhandsgranskning - 2011Information Security Management Handbook, Fourth Edition, Volym 2Harold F. That being said, any information anyone has regarding anything in this post (or other hints and tricks) please feel free to contact me via my user space here, or just reply If the computer is running, shut down Windows, and then turn off the power. navigate here The one from that site is Free.

Open the folder where the contents were unzipped and run mbar.exe Follow the instructions in the wizard to update and allow the program to scan your computer for threats. Pleas let me know if you can help or anything else you might need to help me address this problem. I use Driver Genius to update all my drivers and they are legit outfit???? Förhandsvisa den här boken » Så tycker andra-Skriv en recensionVi kunde inte hitta några recensioner.Utvalda sidorTitelsidaInnehållIndexInnehållChapter 1 Integrated Threat Management3 Chapter 2 Understanding Information Security Management Systems15 Chapter 3 Planning for

Here's the Combofix log: ComboFix 13-04-24.03 - wamcd 04/24/2013 15:37:03.6.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.456 [GMT -4:00] Running from: d:\documents and settings\wamcd.WAMCD01\Desktop\ComboFix.exe AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . The site owner is "unknown" really, it has changed hands multiple times. __________________ 1.Dell Inspiron 17 5759 Windows 10 64bit Firefox v.50.0.2 ;WLM2012; Avira Free, Windows Firewall, MBAM, SpywareBlaster, SUPERAntispyware 2.Dell nothing found Searching for Madalin rootkit default files...