advertising.com and other regenerating spyware

They didn't get uploaded.

If they are still hidden, then the rootkit is probably still active.
Can you run BlackLight again and have it rename the other files as well?

Let me know if they show up then.
 
Just for your information.

The path to the renamed files will be:
C:\Program Files\Broetget\WinGenerics.dll.ren
C:\WINDOWS\system32\drivers\usbncmac.sys.ren
C:\Program Files\Broetget\dx7tplug.exe.ren
C:\Program Files\Broetget\getdsdmo.exe.ren
C:\WINDOWS\system32\srcbcbcp.exe.ren
 
well i ran BlackLight again and renamed all of those files, after reboot the C:\Program Files\Broetget directory was still hidden. I reran BlackLight and it found all the same files again including the ones that should have been renamed. I tried renaming them again along with some of those cache files and again on reboot nothing.

on a side note, while coming to the forum to post this, i got a "Visual C++ Runtime Error" and in the error box it was from c:\program files\broetget\getdsdmo.exe
 
:scratch:

Although I'm leaning towards advising you to reformat the computer, there is one thing we can try?
Do you have the XP install CD ot bootdisks we can use to operate from outside Windows?
 
sorry it took so long to get back to you i was out of town a couple days. i too was thinking about reformating but i was finally able to remove the root kit. what i had to do was after running black light i had to reboot in safe mood so i could see the directory. unfortunatly i deleted the directory before i realized i needed to save a few of the files for you to look at. however after that i was able to find the two files in the windows/system32 back in normal mode. i used blacklight to rename them again becuase it said they were hidden, rebooted and found them and uploaded them for you to look at. maybe you can figure out what they do?? thanks again for all your help!!!

jack
 
Hi Jack,

Nice job you did to find that out.

The scanresults for the files you uploaded:
"usbncmac.sys"
AntiVir 6.33.1.50 02.17.2006 TR/Rootkit.SMA.A
Avast 4.6.695.0 02.16.2006 Win32:Trojano-3087
Avira 6.33.1.50 02.17.2006 TR/Rootkit.SMA.A
eTrust-InoculateIT 23.71.78 02.17.2006 Win32/Smamate!Trojan
eTrust-Vet 12.4.2086 02.17.2006 Win32/Smamate
Kaspersky 4.0.2.24 02.17.2006 Rootkit.Win32.Agent.ao
McAfee 4700 02.17.2006 NTRootKit-R.gen
VBA32 3.10.5 02.17.2006 suspected of Rootkit.Agent.4

"SRCBCBCP.EXE"
CAT-QuickHeal 8.00 02.16.2006 (Suspicious) - DNAScan
eTrust-InoculateIT 23.71.78 02.17.2006 Win32/Propo!Trojan
eTrust-Vet 12.4.2086 02.17.2006 Win32/Propo
Kaspersky 4.0.2.24 02.17.2006 Trojan.Win32.Crypt.t
Panda 9.0.0.4 02.17.2006 Suspicious file

I'll see what else I can find out.
 
illukka pointed this article out to me:
http://www.f-secure.com/sw-desc/apropos.shtml

The good news is, it is a relatively harmless rootkit. And there is a tool to remove it, which I knew existed, but I didn't recognize it. :rolleyes:

I must apologize to you since we could have closed this thread 2 pages ago if I had.

Sorry.
 
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the topic.

Thanks Metallica. :)
 
You must log in or register to reply here.
Back
Top