1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

C:\Windows\System32\drivers\zdxooibu.sys (Rootkit.Agent) and Trojan Hiloti

By TBLWNSC04 ยท 4 replies
Jan 26, 2010
  1. Cable company security called me and made me aware of this virus, malware. I could not get cleaned by malwarebytes as it came back when I rescanned. I was told by cable security that the only option was to get out the recovery disk and restore the whole system. Trying to get a second opinion. Any help would help all of us.Was told this was a new virus......Logs are as follows from Malwarebytes and SAS. Combo-Fix?

    Malwarebytes' Anti-Malware 1.44
    Database version: 3641
    Windows 6.0.6001 Service Pack 1
    Internet Explorer 7.0.6001.18000

    1/26/2010 5:02:56 PM
    mbam-log-2010-01-26 (17-02-56).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 263571
    Time elapsed: 1 hour(s), 23 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 11
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\TypeLib\{f0d4b230-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{f0d4b23a-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{f0d4b23c-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{b15fd82e-85bc-430d-90cb-65db1b030510} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\ProgramData\11582522 (Rogue.Multiple) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Quarantined and deleted successfully.
    C:\Users\Brian-Notebook\AppData\Local\rvorxi.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
    C:\Windows\System32\drivers\zdxooibu.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\Users\Brian-Notebook\AppData\Roaming\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Users\Brian-Notebook\AppData\Roaming\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.

    SAS found rogue agent/gen HKLM Software #11582522

    Any help would be appreciated.
  2. protecterstouch

    protecterstouch TS Rookie

    Try using avast free edition i find sometimes what one virus scanner cant get another might be able to. If all else fails back up whatever clean files you can and just do a reformat and reinstall of windows. It never hurts to format the windows drive every once in a while.
  3. TBLWNSC04

    TBLWNSC04 TS Rookie Topic Starter

    Thank you. I will try Avast. Malwarebytes seemed to pick it up, but couldn't remove. Superantispyware didn't pick it up, but in Mozilla was where it was found. The funny thing is myspybot and windows defender warned me, but they could not clean up which tells me this is a new virus. The things I have are Microsoft Word, Excel, photos,and some music. Anyway to tell if they are infected? It doesn't look like it from the log. Also, any recommendations for a more powerful firewall? Should I put my system internet security level on high? Can combo fix clean this up?
  4. TBLWNSC04

    TBLWNSC04 TS Rookie Topic Starter

    I tried downloading Avast and my screen went blue and had problems starting up. I had to go to before I started through device manager. No luck, this virus is a beast. Need to find recovery cd. Any idea what caused this breach? Unsafe browser?
  5. protecterstouch

    protecterstouch TS Rookie

    Firefox is very safe it might have just been a file you downloaded. I think a reformat is definatly a good route to take.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...