Possible exploits

Hello
i ran a roguekiller scan and this was the results

RogueKiller V8.6.3 [Jul 17 2013] by Tigzy
mail : tigzyRKgmailcom
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : NickD [Admin rights]
Mode : Scan – Date : 07/18/2013 09:22:36
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKCU[…]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → FOUND
[HJ DESK] HKCU[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] SSDT[376] : NtTraceEvent @ 0x83CC1D8C → HOOKED (Unknown @ 0x8EE28C00)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
→ %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AADS-67S9B1 ATA Device +++++
— User —
[MBR] 5985724ba892a5726b4ce24e2f48fbe8
[BSP] eb11fb66582f439466a24426dcc02753 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 76217 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 156299264 | Size: 400620 Mo
User = LL1 … OK!
User = LL2 … OK!

Finished : << RKreport[0]_S_07182013_092236.txt >>

  1. are those hjdesk results false positives? and if so should i remove them (ive read they are put there by microsoft)
  2. what is this:
    ¤¤¤ Driver : [LOADED] ¤¤¤
    [Inline] SSDT[376] : NtTraceEvent @ 0x83CC1D8C → HOOKED (Unknown @ 0x8EE28C00)

hey and welcome to the forum. :slight_smile:

i suggest you follow this guide and attach the needed logs from there.

we need the logs from adwclener,mbam,otl and aswmbr

http://forum.avast.com/index.php?topic=53253.0

a malware expert will help you from here. but of different time zone it will be later today.

thanks for the help, i already pmed the owner of roguekiller and he explained the results

hey again. your welcome, but to be on the safe side please follow my guide i have posted.

I’m no expert but roughkiller have detect something that might need to be checked.

ok , i’ll try

here are the logs
also why does roguekiller find google update as malicious?
and i have delete the java sun folder from appdata (got rid of java long ago, dont know why remnants are there as i used a java remover i believe)

result of the 3 scans 9 this program is good, picked up roboot that no other antivirus thought was malicious
for the otl scan i only saw otl log, no extra log

hey a malware expert will help you from here. but to speed it up i will drop a note to one of them on your topic.

Hi avastreally?

You’ve run ComboFix on your own, please attach a log file, location is C:\ Combofix.txt

Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named Gmer1 );

[*]Right-click wherever in the GMER’s window and select Options > 3rd party - click the Scan button;
[*]Please wait until the full scan is complete;
[*]Click Save … button and save report to Desktop (named Gmer2 );
note: time scan for Gmer2 log may take some time

[*]Click the >>> and select Autostart card;
[*]After quick scan, click Copy button;
[*]Open notepad and Paste text. Save report to the Desktop (named Gmer3 )

Attach here all Gmer logreports. (Gmer1; Gmer2 and Gmer3)

about the combofix, it was ran many times during a infection under malwarebytes forum malwarepro mrcharlie
ran kaspersky scan and they said

Vulnerabilities (2) Information about applications and operating system components in which vulnerabilities have been detected. C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Program Files\VideoLAN\VLC\vlc.exe
i dont understand that as its uptodate edit: running your scans now edit: gmer logs too large to attach

the first log is too big , tried to rar it but thats not allow
download gmer1 from here
http://www52.zippyshare.com/v/70318734/file.html

Great, GMER shows no signs of rootkit infections, for me it is authoritative. You have redirect the browser, slow system, anything of it?

Please download OTM and save it to your desktop.

[*] Double click on OTM.exe to launch a tool;
[*]Paste the following code under the “Paste Instructions for Items to be Moved” line;


:files
c:\progra~1\BEARSH~1\MediaBar\Datamngr\IEBHO.dll

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]

:commands
[CREATERESTOREPOINT]
[emptytemp]


[*] Click on MoveIt! button;
OTM may ask to reboot the machine. Please do so if asked.

[*]Copy/Paste the contents under the Results line here in your next reply.

[i]Note:It will also create a log in the C:_OTM\MovedFiles
- open the newest .log file present, and copy/paste the contents of that document back here in your next post.
[*]

You mean if i have evidence of browser redirects? nope :slight_smile: , system is fast( at one time it was slow because i had malwarebytes pro and it affected my audio , but i did some fixes so everything is alright)
i thought i had a rootkit because of rogue killer (its in my first post above) results
edit: gonna run the program now

i thought i had a rootkit because of rogue killer (its in my first post above)
¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] SSDT[376] : NtTraceEvent @ 0x83CC1D8C -> HOOKED (Unknown @ 0x8EE28C00) 

SPDT the daemon tools driver, not rootkit.

Re- run OTL


:files
c:\users\PatricK\AppData\Local\tjnet 
c:\users\PatricK\AppData\Roaming\mjusbsp 

Then click the Run Fix button at the top.
Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

sorry for the slow reply, it just reboot

All processes killed
========== FILES ==========
File/Folder c:\progra~1\BEARSH~1\MediaBar\Datamngr\IEBHO.dll not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE~\Browser Helper Objects{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}\ deleted successfully.
========== COMMANDS ==========
Restore point Set: OTM Restore Point

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes

User: HomeGroupUser$
->Temp folder emptied: 0 bytes

User: PatricK
->Temp folder emptied: 214421 bytes
->Temporary Internet Files folder emptied: 5346369 bytes
->Google Chrome cache emptied: 78516150 bytes
->Flash cache emptied: 506 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 80.00 mb

OTM by OldTimer - Version 3.1.21.0 log created on 08072013_131042

Files moved on Reboot…
File move failed. C:\Users\PatricK\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat scheduled to be moved on reboot.
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.
File move failed. C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot…

it didnt reboot but i got this log

========== FILES ==========
c:\users\PatricK\AppData\Local\tjnet\cdloader folder moved successfully.
c:\users\PatricK\AppData\Local\tjnet folder moved successfully.
c:\users\PatricK\AppData\Roaming\mjusbsp\Upgrade folder moved successfully.
c:\users\PatricK\AppData\Roaming\mjusbsp\ug00000 folder moved successfully.
c:\users\PatricK\AppData\Roaming\mjusbsp\st00000 folder moved successfully.
c:\users\PatricK\AppData\Roaming\mjusbsp\lr00001 folder moved successfully.
c:\users\PatricK\AppData\Roaming\mjusbsp\lr00000 folder moved successfully.
c:\users\PatricK\AppData\Roaming\mjusbsp\in00000 folder moved successfully.
c:\users\PatricK\AppData\Roaming\mjusbsp folder moved successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 08072013_132452

hopefully magicjack still works :stuck_out_tongue:

Do you want to delete magicJack? This is not malware.

Not a problem, we can remove it.

nah, i need it :slight_smile:
is everything looking ok now?
btw thanks for help :smiley: