HELP !! System monitor found: potentially rootkit-masked files

Long ago after downloading utorrent with mp3s, I got NSIS media extension Trojan (inside MOZILLA FIREFOX, the latest version).

I deleted it with TROJAN HUNTER.

A computer technician came and saw that my PC had no virus.

The NSIS was found by WEBROOT SPY SWEEPER. I wrote a post about it which you can read.

…Now it finds this:

“System monitor found: potentially rootkit-masked files”

I asked from SPY SWEEPER to always remove it and to put it to Quarantine.

What can I do so that I won’t see again this message?

Also I want to be certain that my ebanking is SAFE, because this is the message I get from this threat (when I read about it in SPY SWEEPER’s help) !!!!

Please heeeeeeeelp meeee!!!!

Thanks,
Maggie

***** I attach 3 log files from the mentioned here programs!

Waiting for your help...

 

Invalid Post specified. If you followed a valid link, please notify the administrator


This is a message I get when I try to download the log files.

I will send them here as three different threads.

I kindly ask the administrator to convert them to text files


Thanks!
Maggie

 

OK !

...here is hijack this....

 

SPYSWEEPER's log...

 

Guys, I tried to download a log from ROOTKIT REVEALER but it is more than 10 MB....

I cannot upload it here as a single attachment...

What else do you need to help me?

Thanks,
Maggie

 

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • 
    [*]runkeys.txt - the log from GetRunKey.bat
    [*]newfiles.txt - the log from ShowNew.bat
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • HijackThis

Please also download and run Sopho Anti Rootkit and post a log

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

I know by heart all the READ & RUN ME procedure!

Everything else is OK so I do the final steps with the logs...

I attach the logs from the scans except SOPHOS, cause I really dont understand quite well HOW DO I CREATE THE LOG ...

When SOPHOS scans it finds ....tooooooo many things NOT FOR REMOVAL, as it says...

WHAT DO YOU WANT ME TO DO NOW?

DO YOU THINK I AM IN DANGER ... ????

Thanks,
Maggie

 

Onces sohphos has completed you should be able to select the text in the lower box and paste it into notepad to upload it as an attachment.

 

SOPHOS finds toooooo.... many things....

I enclose two attachments. The first is what you told me to do (I guess... ) and the second is an example of one file. This is what it says in all those files, none to be removed !

WHAT DO YOU THINK ?

WHY ARE THERE SO MANY FILES LISTED ? And in the first attachment it mentions a problem with the registry (?)

I am very anxious to hear your opinion...

Thanks,
Maggie

**** I also enclose a log from GMER I just did ( ? ) What do you say ?

 

Have a look at page 12 of sarman.pdf in the sophos directory. It explains where you can find the log files. Upload them here we'll take a look.

Is your isp otenet ? or something similiar. ?

All the files that are being found by Spysweeper are ADS (Alternative Data Streams) that have been created by Kaperski.

When you installed Kaperski did you notice an option called 'istreams' ?

KAV uses ADS to store a key that is used to indicate whether the file requires scanning the next time it is used. If the file hasn't changed since the last time it was scanned, and the virus database hasn't changed since the last time it was scanned, there is no need to scan it this time.

apprently....


You can read more about ADS here:
http://www.informit.com/articles/article.asp?p=413685&seqNum=5&rl=1

You can read more about IStreams here:
http://www.kaspersky.com/faq?qid=156636746

 

I just uploaded SARSCAN zipped because it is tooooo big (965 KB), but I cant do the two others....

Windows cannot find SARCLEAN log.

And regarding SAMPLES.SAR I cannot open it. When I choose to open with NOTEPAD it is in something like chinese....

WHAT´s MY PROBLEM ?

 

**** Please see my previous message with the files.

Here I enclose samples.sar encrypted and opened in notepad (...if I dont do correctly, sorry and please explain... )

 

DOn't worry about that file. It is an encrypted zip file that is there incase you need to send it to sophos support.

You don't appear to have any malware on yours sytem. The files that are found are not bad. they are put there by kaperski antivirus and as such are a false positive.

I can instruct you on how to remove the ads created by kaperski if you want but this will slow down kaperski the next time it is run (consequent scan will be faster)

You mentioned that you know the Read and Run me off by heart. (even though you didn't follow it properly at first ? ) from this I assume you have had many malware infections. Download mp3s using torrents or any other p2p client is not only ilegal but fraut with dangers of infection, I would be prepared to bet money that at least some if not most of your prior infections were the result of using bittorrent or p22p software.

 

Please read my new post on TROJAN MACCESS I just killed...

Do you think the best solution is to format my pc and then I will never have problems, or to kill them all the time?

If I format my pc these nasties wont reappear in my system again, or should I constantly check for trojans and viruses??

I downloaded utorrent to have some mp3s as I cannot buy music... I am unemployed for 2 TWO YEARS !!!!

I heard today there is a new law on this: downloading some music is not illegal anymore, as long as it is for personal use and you dont donwload 1000´s of songs etc.... for commercial purposes, piracy etc...

PLEASE CHECK MY OTHER POST, AND GIVE ME SOME HELP...
WHY FIREFOX OPENS A BLANK PAGE... AND REMOVING MACCESS....

Thanks!

You are a big help!!!!
Maggie

 

As far as I know downloading copyrighted material from any source without paying for it is still ilegal.

You could format if you want but if you continue to use uTorrent to download files then you will just keep getting infected. You need to be constantly vigilant, run anti virus, firewall and antispyware prtection, practise safe surfing habits and even then there is still a chance of infection.

I'm sorry to hear your unemployed but I'm afraid thats no excuse for downloading ilegal copies of music. As long as you continue to do so then you continue to run a massivly increased risk of being infected.

 

I have deleted utorrent a long time ago.

I would like very much to avoid formatting.....

I have an IBM which creates a full backup to an external USB hard drive (with the programs too...) and when you restore, you have your pc as it was before. Still I will have to do many things on the programs on their settings, and I dont have time because I am jobhunting ....

I constanly check for viruses, trojans etc. everyday...
When they are plenty of those, I will reformat.

I deleted TROJAN MACCESS yesterday.

Is this OK? Am I safe with KASPERSKY PERSONAL 5 AND SPYSWEEPER 5?

Also, I have Ad-aware free, Spybot, Registry Mechanic, Spyware Blaster, CCleaner.

 

Kapersky personal is fine. You should ocasionally run a couple of online scans such as bitdefender and panda activescan.

Windows Defender will also offer some realtime pretection from malware.

You don't mention a firewall in your list of security applications, you really should be running one. Zone Alarm free is pretty good and will probably help.

Are you actually having any malware issues at the moment ?

 

In case my malware continue to appear my pc technicians told me to format, which I try to avoid.

I killed TROJAN MACCESS yesterday, found by SPYSWEEPER.

I had ZONEALARM registered full version, but I unistalled it, because I am not such a big ...expert and it created conflicts between programs and in my browswers! So, I think I cannot have a firewall. My modem has a firewall and Windows XP also (is ON).

My technician deleted WINDOWS DEFENDER (in fact, it found ...nothing) and installed SPYSWEEPER in its place, which finds things! If in the near future they are too many I will format unfortunately!

 

There are other firewalls you could use. WIndows firewall is not the greatest, it only alerts on programs that attempt to run a server, ie. programs that open ports to listen. Your modem firewall will only block incoming connections on ports you have not set up for forwarding.

Much malware comes into your computer and then connects to the internet to download more malicious code and to phone home, you really should have a firewall that can be configured to block programs from accessing the internet.

Did you buy spysweeper ? AFAIK the free version offers no realtime protection, WIndows Defender will protect in real time, in other words it will stop things happening whereas any thing that relies on a scan will have to fix things after its happened. there is no harm in running both.

 

Yes, I bought SPYSWEEPER. But I bought now the complete F-SECURE SECURITY KIT to avoid searching for spamfighters, firewalls, antispyware programs, trojans, rootkits etc.

Do you think this is a WISE choice?

 

I don't know, i've never used the tools you mention. I have found that the free tools we recomend provide enough protection for me. However often it is easier for certain people to have an all in one solution. Having no experience with F-Secure I can't say whether it is good or bad but it should be fine. Perhaps Chaslang or SPD could advise you further on this.

 

Thank you!

Chaslang, SPD what do you say on F-SECURE SECURITY KIT ?

 

I'm no fan of all-in-one security suites. Some of the apps are decent the rest are lacking.

F-Sercure is middle of the pack, as far as protection apps are concerned. Frankly the free alternatives in How to Protect yourself from malware! are better.

 

Thanks !

Maggie, from beautiful Greece and silver mundobasket champions !!!