How To Fix Possible Rootkit Activity (Solved)

Home > Possible Rootkit > Possible Rootkit Activity

Possible Rootkit Activity

Mon Mar 30 16:48:12 2009 -> Loaded 233110 signatures. Mon Mar 30 16:48:12 2009 -> Archive: Recursion level limit set to 5. c:\windows\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Startup\ Configure IE for BEN Financials.lnk - d:\documents and settings\Default User\Application Data\BEN Financials XP SP2 Installer\ben-ie-conf.exe [2005-11-9 110794] . Please re-enable javascript to access full functionality. http://computersciencehomeworkhelp.net/possible-rootkit/possible-rootkit-activity-detected.html

Here's the Combofix log: ComboFix 13-04-24.03 - wamcd 04/24/2013 15:37:03.6.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.456 [GMT -4:00] Running from: d:\documents and settings\wamcd.WAMCD01\Desktop\ComboFix.exe AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . Upon closer inspection, it appeared that there were two hidden Internet Explorer windows visiting random sites (along with calling to certain IP addresses). not found Checking `traceroute'... d:\documents and settings\wamcd.WAMCD01\Application Data\mnsvn.dll d:\documents and settings\wamcd.WAMCD01\Application Data\rentdp.dll . . ((((((((((((((((((((((((( Files Created from 2013-03-24 to 2013-04-24 ))))))))))))))))))))))))))))))) . . 2013-04-20 09:23 . 2013-04-20 09:23 -------- d-----w- d:\documents and settings\NetworkService.NT AUTHORITY\Local learn this here now

If you accept cookies from this site, you will only be shown this dialog once!You can press escape or click on the X to close this box. not infected Checking `named'... To resolve this, restart the computer and try again. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-4-14 66536] . =============== Created Last 30 ================ . 2011-07-11 04:02:14 480519 ----a-w- C:\tri.exe 2011-07-11 03:23:00 10 ----a-w- C:\Q.BAT 2011-07-03 06:37:11 696320 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll 2011-07-03 06:37:11 57344 ----a-w-

not infected Checking `pop2'... If I am working with you and have not responded in a couple of days please PM me. 04-19-2013, 12:14 PM #3 jeffce Security Team Analyst Join So I think when I posted my last log I had failed to restart (I know, epic fail on my part). EMVSCARD;EMVSCARD R?

Double-Click on dds.scr and a command window will appear. then Click OK.Wait till the scanner has finished and then click File, Save Report.Save the report somewhere where you can find it. Then post those logs. http://www.techsupportforum.com/forums/f284/possible-rootkit-activity-692852.html Started by boobooboo, December 5, 2016 2 posts in this topic boobooboo    New Member Topic Starter Members 1 post ID: 1   Posted December 5, 2016 I got a desktop

or read our Welcome Guide to learn how to use this site. !!Possible Rootkit Activity Detected!!=) Started by WinBMY , Apr 18 2011 12:08 AM Page 1 of 2 1 2 not infected Checking `biff'... This is normal.Shortly after two logs will appear: DDS.txt Attach.txtA window will open instructing you save & post the logsSave the logs to a convenient place such as your desktopCopy the The service has no detailed description.

nothing found Searching for RK17 files and dirs... http://forum.sysinternals.com/possible-rootkit-activity-detected-with-rku_topic16179.html TiptonBegränsad förhandsgranskning - 2000Information Security Management Handbook, Sixth Edition, Volym 6Harold F. R? EASTER Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 27 October 2006 Location: United States Status: Offline Points: 337 Post Options Post Reply QuoteEASTER

not infected Checking `find'... check my blog nothing found Searching for LOC rootkit... FF - ProfilePath - d:\documents and settings\wamcd.wamcd01\application data\mozilla\firefox\profiles\o40f8ch2.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=302398&p= FF - plugin: c:\program files\adobe\reader This evening, however, when I fired up firestarter, and then moblock, and then Azureus, I noticed I was getting some unkown active connections on my firestarter status page: namely, these: Code:

  1. Mon Mar 30 16:48:08 2009 -> Reading databases from /var/lib/clamav Mon Mar 30 16:48:08 2009 -> Not loading PUA signatures.
  2. Did you (re-)start blockcontrol after your firewall?
  3. not found Checking `gpm'...
  4. Glad it was "just" a user mistake.
  5. not infected Checking `sendmail'...
  6. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
  7. Adv Reply Page 1 of 2 12 Last Jump to page: Quick Navigation Security Top Site Areas Settings Private Messages Subscriptions Who's Online Search Forums Forums Home Forums The Ubuntu

not infected Checking `telnetd'... I got a message window telling me: "Installation Failure" 2 minutes after click ComboFix icon. There should be two logs. __________________ 1.Dell Inspiron 17 5759 Windows 10 64bit Firefox v.50.0.2 ;WLM2012; Avira Free, Windows Firewall, MBAM, SpywareBlaster, SUPERAntispyware 2.Dell Inspiron N7010; Laptop Windows 7 64bit SP1 this content nothing found Searching for OpticKit...

I also have clamAV installed but hardly use it. Win Explorer shows both drives are OK. nothing found Searching for t0rn's default files and dirs...

Tipton, Micki KrauseCRC Press, 17 mars 2008 - 456 sidor 0 Recensionerhttps://books.google.se/books/about/Information_Security_Management_Handbook.html?hl=sv&id=EqpjYH_Z6MQCA compilation of the fundamental knowledge, skills, techniques, and tools require by all security professionals, Information Security Handbook, Sixth Edition

As I said, I don't use GMER mainly because its logs are often hard to read. RKU detects possible rootkit activity Started by ricknorth , Jul 03 2011 01:32 AM Page 1 of 2 1 2 Next This topic is locked 21 replies to this topic #1 I have been playing with various security and 'anonymity' tools like moblock and tor and so on. Use the 'Add Reply' and add the new log to this thread.

If I am working with you and have not responded in a couple of days please PM me. 04-24-2013, 01:51 PM #7 Whimsicott Registered Member Join Date: Close any open browsers or any other programs that are open.2. Mon Mar 30 16:48:12 2009 -> Algorithmic detection enabled. have a peek at these guys Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems

However, since these were on my events log as 'blocked' I was not too worried about it. The one from that site is Free. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. nothing found Searching for RSHA's default files and dir...

Notepad will open with the results. scanning hidden processes ... . If you have difficulty properly disabling your protective programs, refer to this link here -------------------------------------------------------------------- Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.When finished, it will produce a Just skip the GMER log for now. ~Budapest Attached Files DDS log 2011 04 19.txt 6.01KB 2 downloads DDS Attach 2011 04 19.txt 2.77KB 0 downloads Edited by Budapest, 19 April

not infected Checking `ls'...