Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Possible backdoor/rootkit removal assistance [Solved]


  • This topic is locked This topic is locked

#16
LFC4

LFC4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts

Dak!

 

Glad to hear you were able to throw a few back last night, although intoxicated Dak helping me would have been a bit more entertaining than having to study for my finals.

 

Back to business ... I started to mildly trim up my desktop and deleted the .txt files from yesterday, as well as making the move to switch the default browser to Internet Explorer.

 

I may just be paranoid/sleep deprived but I feel like it may be too good to be true (literally). I'm assuming a veteran hacker can disappear (and reappear) rather swiftly if they feel necessary.

 

Regardless, all play calls are 100% up to you.

 

Here are your requests, talk soon :cheers:

 

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.0 (11.29.2014:1)
OS: Windows 8.1 x64
Ran by MB on Fri 12/12/2014 at  7:19:13.77
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

Successfully deleted: [File] C:\WINDOWS\prefetch\DRIVERUPDATEUI.EXE-A933B2EF.pf

 

~~~ Folders

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 12/12/2014 at  7:20:12.85
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


  • 0

Advertisements


#17
LFC4

LFC4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts

 AdwCleaner v4.105 - Report created 12/12/2014 at 08:16:57
# Updated 08/12/2014 by Xplode
# Database : 2014-12-08.2 [Live]
# Operating System : Windows 8.1  (64 bits)
# Username : MB - ISAAC-PC
# Running from : C:\Users\MB\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17416

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Secondary Start Pages]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Secondary Start Pages]

*************************

AdwCleaner[R0].txt - [1290 octets] - [12/12/2014 08:15:00]
AdwCleaner[S0].txt - [1073 octets] - [12/12/2014 08:16:57]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1133 octets] ##########


  • 0

#18
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

Glad to hear you were able to throw a few back last night, although intoxicated Dak helping me would have been a bit more entertaining than having to study for my finals.

Thanks though would not have been prudent of myself to attempt any type of online support at the time. :cheers: Aye studying may be tedious but worth it in the long run! ;)

Back to business ... I started to mildly trim up my desktop and deleted the .txt files from yesterday, as well as making the move to switch the default browser to Internet Explorer.

Fair play though I will be employing a specific methodology to clean up all tools later on etc and best not to make any major changes to the machine until I give the all clear.

I may just be paranoid/sleep deprived but I feel like it may be too good to be true (literally). I'm assuming a veteran hacker can disappear (and reappear) rather swiftly if they feel necessary.

Not at all as you know best how the machine should be performing rather than myself as this type of support I provide is somewhat difficult at times basically because I never have any hands on so to speak. As for a hacker, in my experience rarely would they target a home machine per-say unless to make it part of what is known as a botnet and each individual machine is referred to as a zombie workstation, however I have seen no evidence of such so far nor anything rootkit related...so you can take that as a positive sign.

Regardless, all play calls are 100% up to you.

As it stands just one more scan to err on the side of caution as follows...

Scan with Panda Cloud Cleaner:

Please download Panda Cloud Cleaner and save to your desktop.

Alternate downloads are here and here.
  • Double-click on PandaCloudCleaner.exe >> when the Setup - Panda Cloud Cleaner window has loaded >> Next > >> Next >
  • Ensure Launch Panda Cloud Cleaner is selected >> Finish >> once the GUI(graphical user interface) appears >> click on Accept and Scan
  • Please be patient as the scan may take some time to complete depending on your system's specifications.
  • Once the scan has completed, if Scan finished with detections is denoted in the GUI do not take any action and or have Panda Cloud Cleaner clean absolutely anything!
  • Now within the GUI click on the >(or any or them if multiple) tab >> then on View Report >> a notepad file should now open called PCloudCleaner.txt
  • Save this to your desktop and post the contents in your next reply.
  • Then click on Back >> Exit
Note: When I give the all clear feel free to uninstall Panda Cloud Cleaner if you so wish.
  • 0

#19
LFC4

LFC4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts

Wow oh wow what a nifty scanner! Bit of action for you ...

 

 

Malware. REGKEY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[DISABLEREGISTRYTOOLS]. Value: DISABLEREGISTRYTOOLS To be deleted.

Malware. REGKEY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[DISABLETASKMGR]. Value: DISABLETASKMGR To be deleted.


  • 0

#20
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

Bit of action for you ...

That is fine and is a false positive detection and no further action is required. Any further issues remaining ? If not carry out the below and in turn post the requested log; then afterwards I will provide some online safety advise etc.

Clean-Up with DelFix:

Please download DelFix to your desktop
  • Right-click on delfix.exe and select Run as Administrator to launch the application.
  • Referring to the image below, select all available options:
DelFix.gif
  • Then click on Run.
  • Once it has finished processing, a notepad file named DelFix.txt will open. Post the contents in your next reply for my review.
  • The log can also be located at the root of the system drive, C:\DelFix.txt.
  • After you have posted the aforementioned DelFix.txt, delete it and empty the Recycle Bin.

  • 0

#21
LFC4

LFC4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts

Howdy :wave:

 

Here you are sir!

 

# DelFix v10.8 - Logfile created 13/12/2014 at 17:31:55
# Updated 29/07/2014 by Xplode
# Username : MB - ISAAC-PC
# Operating System : Windows 8.1  (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\MB\Desktop\AdwCleaner.exe
Deleted : C:\Users\MB\Desktop\FRST64.exe
Deleted : C:\Users\MB\Desktop\JRT.exe
Deleted : C:\Users\MB\Desktop\JRT.txt
Deleted : C:\Users\MB\Desktop\OTL.exe
Deleted : C:\Users\MB\Desktop\Rkill.txt
Deleted : C:\Users\MB\Desktop\tdsskiller.exe
Deleted : HKLM\SOFTWARE\OldTimer Tools
Deleted : HKLM\SOFTWARE\AdwCleaner

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #21 [Scheduled Checkpoint | 12/13/2014 12:15:39]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########


  • 0

#22
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

Here you are sir!

All good...Congratulations the computer appears to be malware free!

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Slow Computer/browser?

Also so is this:

What to do if your Computer is running slowly

Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan at least once per week.

Other installed security software:

The installed security application, Windows Defender(regardless the name it is actually a Anti-Virus software with Windows 8) automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also at least once per week.

Further reading/resources:

This is a very helpful/useful set of advice from Microsoft: Microsoft Safety & Security Center

As is this: Computer Security - a short guide to staying safer online

Keep Your System Updated:

Microsoft releases patches for Windows and other products regularly:

Turn automatic updating on or off <-- Ensure this feature is enable per the instructions.

This web-page is worth bookmarking/reading for future reference:-

Securing Your Web Browser

Be careful when opening attachments and downloading files:

1 - Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.

2 - Never open emails from unknown senders.

4 - Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.

5 - Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives at MajorGeeks.

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Limewire, Vuze. Criminals have "planted" thousands upon thousands of infections in the "free" shared files. Virtually all of these recent infections will compromise your Security, and some can turn your machine into a useless "doorstop".

I will further add; P2P software has the ability to create a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their infected dross onto your computer. Further to that, if your P2P software is not configured correctly you may be sharing more files than you realise. There have been cases where people's address books, passwords, other personal, private and financial details have been exposed to the file sharing network by a badly configured P2P applications

My friendly advice is to avoid these types of software applications.

Consider the below extra/layered security for your machine:

Custom Host File:

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:Only use one of the above!

CryptoPrevent Tool:

How to prevent your computer from becoming infected by CryptoLocker

WinPatrol:

WinPatrol alerts you about possible system hijacks, malware attacks and critical changes made to your computer without your permission.

Download it from here.

You can find information about how WinPatrol works here.

Next:

Any questions? Feel free to ask, if not stay safe!
  • 0

#23
LFC4

LFC4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Dakeyras,

All is well mate, just stopping by to acknowledge your tips and express again how much I appreciate your help over the past few days.

Take care and thank you again!
  • 0

#24
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Acknowledged and you're most welcome! :)
  • 0

#25
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP