PDA

View Full Version : help removing files found



bowan
2009-04-18, 16:09
i've had a problem with this rootkit for the past week now and it still keeps coming back :(

i've found your program rootalyzer and scanned with it using deep scan and it found the files i knew were there, but i can't find an option to remove them with this program.

i checked the log tab and clicked on pack suspicious files and it packed all the stuff into a .cab file which is 134mb. it shouldn't be that big i think it picked up some stuff that wasn't the virus. i know the trojan and what files it uses but they can't be found cause its hidden it self and hidden the reg keys it created as well.

also i have used avira to scan the rootkit as its the only other rootkit scanner that has detected the thing and whenever i move what it finds to quarintine whenever i scan again it finds the same files over and over, so basically whenever it gets removed it almost instantly re propogates it self.

i dont know what else to do cause i can't find the registry keys i know it creates because it has a way to hide them, and whatever program i have found that can detect it after removing it the thing comes back straight away again :(

any help would be greatly appreciated.

here is the log.

// info: Rootkit removal help file
// copyright: (c) 2008-2009 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Hidden file","C:\Windows\System32\ovfsthxekctnpfc.dll"
File:"Hidden file","C:\Windows\System32\ovfsthxekctnpfc.dll.XXX"
File:"Hidden file","C:\Windows\System32\ovfsthxjqysbjfs.dll"
File:"Hidden file","C:\Windows\System32\ovfsthxouimpciq.dat"
File:"Hidden file","C:\Windows\System32\ovfsthxpegeeqca.dll"
File:"Hidden file","C:\Windows\System32\ovfsthxsmispsst.dat"
File:"No admin in ACL","C:\Windows\temp\ZLT0456a.TMP"
File:"No admin in ACL","C:\Windows\temp\ZLT06ad9.TMP"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxekctnpfc.dll"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxekctnpfc.dll.XXX"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxjqysbjfs.dll"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxouimpciq.dat"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxpegeeqca.dll"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxsmispsst.dat"
File:"Invisible to Win32","C:\Windows\System32\drivers\ovfsthxkrybotct.sys"
File:"Invisible to Win32","C:\Users\bowan\AppData\Local\Temp\ovfsthxridutpnb000"
File:"Unknown ADS","C:\Users\All Users\TEMP:8927A071:$DATA"
File:"Unknown ADS","C:\Users\All Users\TEMP:8CEFE51A:$DATA"
File:"No admin in ACL","C:\Users\All Users\NOS\getUninst_Adobe.dat"
File:"No admin in ACL","C:\Users\All Users\NOS\Adobe_Downloads\nos_11909.dat"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\OPA12.BAK"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat"
File:"No admin in ACL","C:\ProgramData\NOS\getUninst_Adobe.dat"
File:"No admin in ACL","C:\ProgramData\NOS\Adobe_Downloads\nos_11909.dat"
File:"Unknown ADS","C:\Program Files\Cake Poker:MID:$DATA"
File:"Unknown ADS","C:\Program Files\Cake Poker\cake.exe:info:$DATA"
Directory:"No admin in ACL","C:\Windows\Internet Logs"
Directory:"No admin in ACL","C:\Users\bowan\AppData\LocalLow\NOS"
Directory:"No admin in ACL","C:\Users\All Users\NOS"
Directory:"No admin in ACL","C:\Users\All Users\NOS\Adobe_Downloads"
Directory:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA"
Directory:"No admin in ACL","C:\ProgramData\NOS"
Directory:"No admin in ACL","C:\ProgramData\NOS\Adobe_Downloads"
Directory:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\","NOS"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\NOS\","{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}_bowan"
RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Cryptography\","RNG\0"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyValue:"Zero char in value name","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Cryptography\RNG\0\","Seed\0TRY-8BE26640-0000"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyValue:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Cryptography\RNG\0\","Seed\0TRY-8BE26640-0000"
// Attention: entries with a zero character will not be displayed correctly and may not work!

Matt
2009-04-19, 01:01
Hi bowan,

well, looks really like a Malware infection.

You have always this option (http://forums.spybot.info/showpost.php?p=304562&postcount=2).

bowan
2009-04-19, 11:30
sigh, yeah the only problem with that is i have tried that at another forum and no one responded. i'm fairly confident at removing this sort of stuff myself but i guess i can try that here and see what people say.

also its not malware its a backdoor trojan and i know excactly which one and the thing that pisses me off the most is i know where all the files are and i still can't get rid of it lol its driving me crazy.

Matt
2009-04-19, 14:29
Hi bowan,

please following my recommendation and open your own thread in the Malware Removal Forum with an up to date HijackThis logfile if you can't get rid of it. Be patient and wait, someone will give you an answer there. :) Add any information in the Malware Removal Forum, that is important in your eyes.

Well, backdoor sounds not good... :fear:

bowan
2009-04-19, 15:13
thanks matt i took your advice and opened up a thread, hopefully someone can help.

tashi
2009-04-19, 19:32
bowan's malware forum topic: http://forums.spybot.info/showthread.php?p=306144#post306144