I’ve had on a scan pop up with over 1k hidden Rootkits and can’t find the file to it.
This is second scan in a week that has done it. First a quick scan on the 30th, and now today full scan.
Hi. Let’s do full system analysis if you wish.
http://www.waymarking.com/images/cat_icons/yellow_arrow.gif
Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr
Double click dds to run the tool.
* When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. Attach them back to topic.
http://www.waymarking.com/images/cat_icons/yellow_arrow.gif
Download the program GMER from the link below to your Desktop:
GMER download:
www2.gmer.net/download.php
note: File is random named
Double click to run GMER.
Wait until the introduction scan is complete. It will be over soon.
-
if you have any inquiry appears, click No;
Then click Scan and wait until the scan is complete;
Click Save … -
Save the report to your Desktop (called Gmer1);
Right-click on the Gmer window and select Options> Only non MS files - click Scan;
after a short scan, click Save … -
Save the report to your Desktop (called Gmer2);
Click the button >>> and select Auto-start card;
after a short scan, click Copy;
Open Notepad and place a copied text ( paste option ) - save the report to the Desktop (named Gmer3);
Attach here DDS.txt, Attach.txt and Gmer logs 1/2/3
The files.
The Gmer1 and 2 both came up blank, nothing on them.
- Please repeat scan with GMER1 and GMER3 logs.
I need to see them.
Can you attach avast logs also? I need to see detection.
C:\ProgramData\Alwil Software\Avast5\log
C:\ProgramData\Alwil Software\Avast5\report
Ok this is the 7rd time trying to post it. Found out it keeps timing out trying to post avast logs.
The File size for log is way to big. Can only post 200k, file is 16mb of text
Here is the second scan for Gmer1. And the log.
As for Gmer3, I click scan over 10 times and nothing happen each time, So it came up blank. Nothing to copy to a file.
Hm…Ok lets go like this.
http://www.waymarking.com/images/cat_icons/yellow_arrow.gif
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
http://www.waymarking.com/images/cat_icons/yellow_arrow.gif
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.
http://www.waymarking.com/images/cat_icons/yellow_arrow.gif
Run ComboFix. Click on I agree
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
http://www.waymarking.com/images/cat_icons/yellow_arrow.gif
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Post log reports ( ComboFix.txt) back to topic.
- After Combofix’s please run this AntiRootkit Tool.
Code:
Download RootRepeal.zip and unzip it to your Desktop.
[*]Double click RootRepeal.exe to start the program
[*]Click on the Report tab at the bottom of the program window
[*]Clickthe Scan button
[*]In the Select Scan dialog, check:
[b][*]Drivers
[*]Files
[*]Processes
[*]SSDT
[*]Stealth Objects
Hidden Services
[*]Click the OK button
[*]In the next dialog, select all drives showing
[*]Click OK to start the scan
The scan can take some time. DO NOT run any other programs while the scan is running
[*]When the scan is complete, the Save Report button will become available
[*]Click this and save the report to your Desktop as RootRepeal.txt
[*]Go to File, then Exit to close the program
Here is the combatfix file.
As for the Rootrepeal, It Doesn’t support 64 bit OS.
I’m running win 7 64bit.
Hehe,Yes RR doesn’t work on x64bit systems. ;D
I have not paid attention to the version of system. 
I have some thinks to do on my home forum so I haven’t looked with full attention.
Logs look clean but just to let you know that I will do analyze your logs later.
In the meantime please attach avast! logs sow we could see the exact detection.
Like I said, I can’t post the log.
AswAR1 is 17MB, i can only post 200KB
http://img.photobucket.com/albums/v611/dragonspwan15/th_avastlogs.png
Here a sample of the infected files it list in log.
But the first 2, that wasn’t infected, it files that it scanned.
Process C:\Windows\System32\SearchProtocolHost.exe [77948]
Process C:\Windows\System32\SearchFilterHost.exe [79268]
Process [7] **HIDDEN**
Process [0]
Process [64128] **HIDDEN**
Process [36] **HIDDEN**
Process [0]
Process [64128] **HIDDEN**
Process [12] **HIDDEN**
Process [0]
Process [64128] **HIDDEN**
Process [33] **HIDDEN**
Process [0]
Process [64128] **HIDDEN**
Process [19] **HIDDEN**
Process [0]
Process [64128] **HIDDEN**
Process [36] **HIDDEN**
Process [0]
Process [63648] **HIDDEN**
Process [12] **HIDDEN**
"
"
Process [64128] **HIDDEN**
Process [5] **HIDDEN**
Process [0]
Process [64128] **HIDDEN**
Process [12] **HIDDEN**
Process [0]
Process [64128] **HIDDEN**
Process [12] **HIDDEN**
Disk 0 MBR
File C:\Windows\addins
File C:\Windows\addins\FXSEXT.ecf
I cut it down the " means there a lot more in between saying same thing just different numbers.
c:\users\Silvdragon\Downloads\ComboFix.exe
Next time you run Combofix from your desktop as I wrote.
Logs do not show evidence of active malware.
It’s more difficult to install some malicious rootkit on x64bit system.
Not impossible, of course 
What yours AV report is probably his Heuristic.
http://en.wikipedia.org/wiki/Heuristic_analysis
- Run CFScript
Open notepad and copy/paste the text present inside the code box below:
ClearJavaCache::
RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
Save this as CFScript.txt
http://img213.imageshack.us/img213/1218/cfscript1.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Please run Command Prompt.
Start >> Run
cmd
Enter
Black Screen will pop up. There, copy the following
tasklist /m >%systemdrive%\resultst.txt
Hit Enter
You may close cmd.
Go to your systemroot ( usually C partition ) and attach here log resultst.txt
C:\resultst.txt
- Can you please copy-paste/upload your avast logs here?
http://pastebin.com/
Or you may upload them here…
https://www.rapidshare.com/
or
http://www.megaupload.com/
Thanks for waiting ;D
Weird, I moved it to the desktop but I guess when I drag a file to desktop it makes a shortcut.