Rootkit

i have bit defedner 2009 anti virus, i also run every now and then prevx csi, free scan to see if im clean. CSI has come up with a root kit on the physicaldrive0\\MBR.


Now i have done a full deep scan with bit defedner, and it found what it described as root kits hidden, but they were hidden in a program called my lockbox, just something i was trying out , i got nothing to hide really.


i unhid everything and i thought everything was fine but csi keeps finding this rootkit.


Do you think it is a false positive.


i have attached the log file from my scan (hopefully)

/applications/core/interface/file/attachment.php?id=3448" data-fileid="3448" rel="">log.xml

Comments

  • agh the attachment never worked, but basically all i has in my lock box which was password protected was a load of drivers from uniblue driver manager so they were not rootkits.

  • Hello webbit,


    Please download avis which you find in this topic. Unzip it and double click on AVIS.exe go to the system info section by system log type let standard be selected now press on create log. After it's finished please upload bd_sys_log.xml.


    Kind regards,


    Niels


    Hello David G,


    CSI Prevx also generates false positivs from time to time. Take a look here. I know that you say I think and not that you said that it wasn't a false positiv.


    Kind regards,


    Niels

  • Hello webbit,


    Can you please archive the following files:


    mlJbbbyX.dll and khfdedDU.dll


    Both should be located into the system 32 subfolder of the windows folder. Follow the instructions given in the 2nd post in this topic.


    Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post.


    Kind regards,


    Niels

  • Hi


    Thanks for your help, i have attached the log, please note that i just tried out another AV to see if that found anything so that will be on the log, but i always use bit defender a my anti virus

    /applications/core/interface/file/attachment.php?id=3529" data-fileid="3529" rel="">ComboFix.txt

  • Hello webbit,


    Please do this:


    Open task manager by pressing the windows button together with r now type taskmgr press enter go to the processes tab and click 1 time on the processes name tab so everything will be sorted alphabetically. Please select the process that is called keenfinder.exe and press on end task. Or do you recognize Keenfinder?


    After you have done please open wordpad and type this:


    File::


    C:\Program Files\Keenfinder\keenfinder.exe


    Now save it as CFScript. After you have done that drag and drop the CFScript file on the Combofix icon.


    You didn't have uploaded the files that I requested you to do. You need to upload these samples on this forum. That is the quickest way. Can you please do this click on start,my computer,double click on the icon of your hard disk/partition were you have installed software. You should see a folder called QooBox. Open that folder. Now you will see the quarantine folder please open that also,C (if you hard drive is called so),windows, system 32. You should also find a subfolder in the quarantine folder called Documents and Settings, with subfolders inside Now right click on each item and rename the files that looks like blabla.exe.vir to blabla.exe. You just need to remove the .vir.First you need to show file extensions to do that go to the tools menu,folder options,display/view tab uncheck hide known file extensions press on apply and ok. Confirm the windows warning. There is a 2mb file upload limit on this forum section.


    Can you please archive these files also:


    C:\WINDOWS\system32\BKJV


    C:\WINDOWS\system32\A.tmp


    Kind regards,


    Niels

  • here are the files which were in the quarantine folder, but i am having problems with creating the keenfinder exe as a cfs ****** file, do i type into the body of wordpad, i dont get the option to save it as a cfs.here is file 1 and 2

  • after renaming it changed them to ini files and the board message says i am not authorised to upload this type of file


    Upload failed. You are not permitted to upload this type of file

  • hang on think i done it

  • no sorry same error again


    Upload failed. You are not permitted to upload this type of file


    Also cannot find these to files they are not there


    C:\WINDOWS\system32\BKJV


    C:\WINDOWS\system32\A.tmp

  • Hello webbit,


    You need first to archive them. I mean packing them with winzip,winrar,... If you have done that than you should be able to upload it here. For instructions see this topic 2nd post. Or do you have problems how to archive ?


    The files might be hidden please when you are in the system 32 folder go to the tools menu,folder options,display/view menu check the option show hidden files and folders press on apply and ok and confirm the windows warning. See if you now can see it.


    Kind regards,


    Niels

  • did you want me to upload the bkjv because i can only get it down to 5.8mb

  • Hello webbit,


    You don't need to worry because normal users can't download attachments in this forum section. Only moderators and virus researchers can download here.


    What you always can do is upload the large infection on an online file host and post the download link into a text file. Text files can be uploaded normally. How to do that see the link that I posted in my previous post and take a look at the 3rd post.


    Kind regards,


    Niels

  • Hello webbit,


    Can you please upload keenfinder.exe?


    Normally you should paste this in wordpad:


    File::


    C:\Program Files\Keenfinder\keenfinder.exe


    You just need to save it as text file with CFScript as name. If it fails please just archive it and upload it here.


    Kind regards,


    Niels

  • hi keenfinder has been deleted from my system, was not sure what is was so uninstalled it

  • where any of these files infected