Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Potential Rootkit Infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby silver » July 14th, 2007, 9:31 am

Hi samone,

Please check your Recycle Bin and see if the backups folder is in there. If so, then restore it and let me know - we'll move it to a safe place. If it's not there then the backups may have been permanently deleted.

The Spy Sweeper details you posted were relevant but I'd need to know what specific files Spy Sweeper is detecting.

Open Spy Sweeper, select Options then View Session Log. Please export/save the whole log file and post it, or copy/paste the details of the recent infections and post those.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7
Advertisement
Register to Remove

Unread postby samone » July 14th, 2007, 9:41 am

spy sweeper:

9:20 AM: A reboot was required but declined.
9:20 AM: potentially rootkit-masked files is in use. It will be removed on reboot.
9:20 AM: Quarantining All Traces: potentially rootkit-masked files
9:19 AM: Traces Found: 7
9:19 AM: Custom Sweep has completed. Elapsed time 00:14:43
9:19 AM: File Sweep Complete, Elapsed Time: 00:13:24
Trace marked as Always Remove
9:19 AM: c:\documents and settings\bern&john\my documents\new folder\documents and settings\john\my documents\documents and settings\all users\start menu\programs\datapilot\sms manager.lnk (ID = 0)
Trace marked as Always Remove
9:19 AM: c:\documents and settings\bern&john\my documents\new folder\documents and settings\john\my documents\documents and settings\all users\start menu\programs\datapilot\ringtone composer.lnk (ID = 0)
Trace marked as Always Remove
9:19 AM: c:\documents and settings\bern&john\my documents\new folder\documents and settings\john\my documents\documents and settings\all users\start menu\programs\datapilot\phone book manager.lnk (ID = 0)
Trace marked as Always Remove
9:19 AM: c:\documents and settings\bern&john\my documents\new folder\documents and settings\john\my documents\documents and settings\all users\start menu\programs\datapilot\internet data connectivity.lnk (ID = 0)
Trace marked as Always Remove
9:19 AM: c:\documents and settings\bern&john\my documents\new folder\documents and settings\john\my documents\documents and settings\all users\start menu\programs\datapilot\image editor.lnk (ID = 0)
Trace marked as Always Remove
9:19 AM: c:\documents and settings\bern&john\my documents\new folder\documents and settings\john\my documents\documents and settings\all users\start menu\programs\datapilot\calendar.lnk (ID = 0)
Trace marked as Always Remove
9:19 AM: c:\documents and settings\bern&john\my documents\new folder\documents and settings\john\my documents\documents and settings\all users\start menu\programs\datapilot\datapilot launcher.lnk (ID = 0)
9:19 AM: Threat marked as Always Remove
9:19 AM: Found System Monitor: potentially rootkit-masked files
9:16 AM: Warning: DoTerm :\Device\HarddiskVolume1\WINDOWS\system32\CSRSS.EXE
Operation: File Access
Target:
Source: C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
9:10 AM: Tamper Detection
9:06 AM: Starting File Sweep
9:06 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:06 AM: Starting Cookie Sweep
9:06 AM: Registry Sweep Complete, Elapsed Time:00:00:07
9:06 AM: Starting Registry Sweep
9:06 AM: Memory Sweep Complete, Elapsed Time: 00:01:09
9:05 AM: Starting Memory Sweep
9:05 AM: Start Custom Sweep
9:05 AM: Sweep initiated using definitions version 948
8:55 AM: ApplicationMinimized - EXIT
8:55 AM: ApplicationMinimized - ENTER
8:52 AM: ApplicationMinimized - EXIT
8:52 AM: ApplicationMinimized - ENTER
8:52 AM: Access to Hosts file allowed for C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE
Keylogger: On
E-mail Attachment: On
8:52 AM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
8:52 AM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: On
8:52 AM: Shield States
8:52 AM: License Check Status (0): Success
8:52 AM: Spyware Definitions: 948
8:52 AM: Spy Sweeper 5.5.1.3356 started
8:52 AM: Spy Sweeper 5.5.1.3356 started
samone
Regular Member
 
Posts: 23
Joined: September 4th, 2006, 10:02 pm

Unread postby samone » July 14th, 2007, 11:12 am

this may be part of the promblem:

CSRSS.EXE:
Process Name: Microsoft Client/Server Runtime Server Subsystem
Process Description: csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated. csrss.exe is also process which is registered as the W32.Netsky.AB@mm worm, the W32.Webus Trojan, Win32.Ladex.a and more. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it's hostile attachment. The worm has it's own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.
samone
Regular Member
 
Posts: 23
Joined: September 4th, 2006, 10:02 pm

Unread postby silver » July 14th, 2007, 9:53 pm

Hi samone,

The csrss.exe on your system looks to be the Microsoft program and not malware.

Spy Sweeper appears to be flagging links associated with Datapilot cell phone software - do you have this software installed and do you use it?

Open HijackThis, select Open the Misc Tools section
Press the Open Uninstall Manager... button, then press Save list...
Save the Uninstall log to your deskop and include a copy in your next response.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby samone » July 15th, 2007, 12:19 am

Hi, datapilot is not in use anymore. its a backup program for cell phone numbers. no longer necessary. here is the log for the uninstall list

HijackThis 2.0.2
Kaspersky Online Scanner
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Standard Edition 2003
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Update for Windows XP (KB936357)
samone
Regular Member
 
Posts: 23
Joined: September 4th, 2006, 10:02 pm

Unread postby silver » July 15th, 2007, 2:55 am

Hi samone,

If you don't need it any more, then is it OK to delete the offending folder(s) and see if that resolves the problem?

This is the folder:
c:\documents and settings\bern&john\my documents\new folder\documents and settings\john\my documents\documents and settings\all users\start menu\programs\datapilot


Once you have deleted the folder, try running Spy Sweeper once more and see if the detection recurs. If it does, the post the Session Log for the scan.

Quite a number of programs which are obviously installed are not listed in your uninstall list - do you know why this is?

Once complete, please post or let me know about the Spy Sweeper results.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby samone » July 15th, 2007, 9:23 am

great news! spy sweeper did not detect the rootkit risk afrom removal the datapilot folder.
samone
Regular Member
 
Posts: 23
Joined: September 4th, 2006, 10:02 pm

Unread postby silver » July 15th, 2007, 7:24 pm

Hi samone,

Good news indeed! There's no indication of malware on your system so I think your machine is clean.

Here are some tips to help you keep it that way:

Operating system vulnerabilities can easily be exploited by malware so please ensure your operating system is automatically kept up to date by using Windows Update:
Go to Start->Control Panel->Automatic Updates
Select Automatic and select a suitable schedule

Also, check that your antivirus and antispyware programs are set to automatically update daily.

You should consider installing a Personal Firewall program. Even if you are behind a NAT router, I recommend you use firewall software as it will improve the security of your computer by monitoring and controlling outbound connections to the internet as well as inbound. There are various free packages available, such as Sunbelt Personal Firewall and Zone Alarm:
http://www.sunbelt-software.com/Home-Ho ... -Firewall/
http://www.zonelabs.com/

Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

Spywareblaster is a free program which prevents the download and installation of Internet Explorer ActiveX based malware by immunizing your system against it. You can download Spywareblaster from here and a tutorial to help you get started is available here.

Find out more about how to prevent infection in the future
http://forum.malwareremoval.com/viewtopic.php?p=33687

Please post back to let me know that you have read this, and if there are any further issues.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby NonSuch » July 22nd, 2007, 10:47 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27226
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware