Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Swearware infection

Started by N. Kaufman , Feb 21 2010 08:53 AM

  • Please log in to reply

#1
N. Kaufman
Posted 21 February 2010 - 08:53 AM

N. Kaufman

    Member

  • Member
  • PipPip
  • 48 posts
Hello,

My laptop was infected sometime back and was cleaned. My mbr.log always shows the following:

======
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x025429803 !
PE file found in sector at 0x025429819 !
==== and it was concluded that any infection was removed and that the malicious code is just a residue.

I've run RootkitReveal and see the following log:
=====
HKU\S-1-5-21-1202660629-1409082233-1801674531-1003\Console 1/12/2010 6:47 AM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 1/1/2010 12:10 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 1/1/2010 12:10 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}* 1/1/2010 7:44 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Environment* 1/2/2010 9:11 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Swearware\backup\winsock2 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018 1/10/2010 5:13 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019 1/10/2010 5:13 PM 0 bytes Security mismatch.

=====
Should I be concerned about Swearware?

Thanks,
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP