I think my computer is infected with whistler rootkit

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.
Joined
Apr 7, 2010
Messages
166
Hi diggets,
Sorry, they've really moved things around in Win7. Do this instead:
Click start > Control Panel
  • Click Appearance and Personalizatio
  • under Folder Options click show hidden files and folder
  • check Show hidden files and folders
  • uncheck "Hide extensions for known file types" box
  • uncheck "Hide protecting operating system files" box
Click apply, click ok
 

diggets

Thread Starter
Joined
Nov 7, 2011
Messages
36
for wdmaud



File name:
wdmaud.drv
Submission date:
2011-11-16 21:38:06 (UTC)
Current status:
queued (#34) queued (#21) analysing finished

Result:
0/ 42 (0.0%)

VT Community

not reviewed
Safety score: -

Compact
Print results

AntivirusVersionLast UpdateResultAhnLab-V32011.11.16.002011.11.16-AntiVir7.11.17.2032011.11.16-Antiy-AVL2.0.3.72011.11.16-Avast6.0.1289.02011.11.16-AVG10.0.0.11902011.11.16-BitDefender7.22011.11.16-ByteHero1.0.0.12011.11.14-ClamAV0.97.3.02011.11.16-Commtouch5.3.2.62011.11.16-Comodo107782011.11.14-DrWeb5.0.2.033002011.11.16-Emsisoft5.1.0.112011.11.16-eSafe7.0.17.02011.11.16-eTrust-Vet37.0.95692011.11.16-F-Prot4.6.5.1412011.11.16-F-Secure9.0.16440.02011.11.16-Fortinet4.3.370.02011.11.16-GData222011.11.16-IkarusT3.1.1.109.02011.11.16-Jiangmin13.0.9002011.11.16-K7AntiVirus9.119.54742011.11.16-Kaspersky9.0.0.8372011.11.16-McAfee5.400.0.11582011.11.16-McAfee-GW-Edition2010.1D2011.11.16-Microsoft1.78012011.11.16-NOD3266362011.11.16-Norman6.07.132011.11.16-nProtect2011-11-16.012011.11.16-Panda10.0.3.52011.11.16-PCTools8.0.0.52011.11.16-Prevx3.02011.11.16-Rising23.84.02.022011.11.16-Sophos4.71.02011.11.16-SUPERAntiSpyware4.40.0.10062011.11.16-Symantec20111.2.0.822011.11.16-TheHacker6.7.0.1.3432011.11.16-TrendMicro9.500.0.10082011.11.16-TrendMicro-HouseCall9.500.0.10082011.11.16-VBA323.12.16.42011.11.15-VIPRE110622011.11.16-ViRobot2011.11.16.47762011.11.16-VirusBuster14.1.66.12011.11.16-Additional information
Show all
MD5 : 8a833f7bb5f15283e398eb82d7188c76SHA1 : e2f975d439a0317ae5a922573ac1d4e2385f44f8SHA256: fc13971f36c103ba5a839978c5b03d6184eafb14c7df8e7310bee862a95d92e0
 

diggets

Thread Starter
Joined
Nov 7, 2011
Messages
36
File name:
userinit.exe
Submission date:
2011-11-16 22:23:30 (UTC)
Current status:
queued (#36) queued (#36) analysing finished

Result:
0/ 42 (0.0%)

VT Community

goodware
Safety score: 100.0%

Compact
Print results

AntivirusVersionLast UpdateResultAhnLab-V32011.11.16.002011.11.16-AntiVir7.11.17.2032011.11.16-Antiy-AVL2.0.3.72011.11.16-Avast6.0.1289.02011.11.16-AVG10.0.0.11902011.11.16-BitDefender7.22011.11.16-ByteHero1.0.0.12011.11.14-ClamAV0.97.3.02011.11.16-Commtouch5.3.2.62011.11.16-Comodo107782011.11.14-DrWeb5.0.2.033002011.11.16-Emsisoft5.1.0.112011.11.16-eSafe7.0.17.02011.11.16-eTrust-Vet37.0.95692011.11.16-F-Prot4.6.5.1412011.11.16-F-Secure9.0.16440.02011.11.16-Fortinet4.3.370.02011.11.16-GData222011.11.16-IkarusT3.1.1.109.02011.11.16-Jiangmin13.0.9002011.11.16-K7AntiVirus9.119.54742011.11.16-Kaspersky9.0.0.8372011.11.16-McAfee5.400.0.11582011.11.16-McAfee-GW-Edition2010.1D2011.11.16-Microsoft1.78012011.11.16-NOD3266362011.11.16-Norman6.07.132011.11.16-nProtect2011-11-16.012011.11.16-Panda10.0.3.52011.11.16-PCTools8.0.0.52011.11.16-Prevx3.02011.11.16-Rising23.84.02.022011.11.16-Sophos4.71.02011.11.16-SUPERAntiSpyware4.40.0.10062011.11.16-Symantec20111.2.0.822011.11.16-TheHacker6.7.0.1.3432011.11.16-TrendMicro9.500.0.10082011.11.16-TrendMicro-HouseCall9.500.0.10082011.11.16-VBA323.12.16.42011.11.15-VIPRE110622011.11.16-ViRobot2011.11.16.47762011.11.16-VirusBuster14.1.66.12011.11.16-Additional information
Show all
MD5 : 0e135526e9785d085bcd9aede6fbcbf9SHA1 : d15244d41efddbab08d53fe032aedff39091d3afSHA256: 75eea7e5ae90d857b777361a0166f9a82e354f229fd5250af8738364e6fb45db
 
Joined
Apr 7, 2010
Messages
166
Hi diggets,


You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.


Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


One more scan to look for stragglers.


As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.
  • Do not use this instance of your browser for anything besides doing this scan
  • When the scan is complete and the results saved, close that instance of your browser
  • Open a new one the usual way and post the results in this topic.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Go here to run an online scannner from
ESET


(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
  • Click Scan.
  • When the scan completes, push List of found threats
  • Push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  • Push the back button.
  • Push Finish
  • Re-enable your Antivirus software.
If a log has been produced post it in your next reply.


Please post back with
  • MBAM log
  • ESET log
Thanks
 

diggets

Thread Starter
Joined
Nov 7, 2011
Messages
36
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8178
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19088
11/16/2011 8:01:48 PM
mbam-log-2011-11-16 (20-01-48).txt
Scan type: Full scan (C:\|)
Objects scanned: 570247
Time elapsed: 1 hour(s), 27 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
 

diggets

Thread Starter
Joined
Nov 7, 2011
Messages
36
C:\Program Files (x86)\Yontoo Layers\YontooIEClient.dll Win32/Adware.Yontoo.A application
C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application
C:\Users\Murray\Desktop\Dwarf Fortress\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfexpbench.exe probably a variant of Win32/Agent.JYJXQJM trojan
C:\Users\Murray\Desktop\Dwarf Fortress\LNP\Utilities\C-Hacks\DFhack 0.5.12\dflair.exe probably a variant of Win32/Agent.MBFCHKH trojan
C:\Users\Murray\Desktop\Dwarf Fortress\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfmode.exe probably a variant of Win32/Agent.GNTAXU trojan
C:\Users\Murray\Desktop\Dwarf Fortress\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfpause.exe probably a variant of Win32/Agent.MSCYHJA trojan
C:\Users\Murray\Desktop\Dwarf Fortress\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfposition.exe probably a variant of Win32/Agent.HMIAGON trojan
C:\Users\Murray\Desktop\Dwarf Fortress\LNP\Utilities\C-Hacks\DFhack 0.5.12\dfsuspend.exe probably a variant of Win32/Agent.GLAETZU trojan
Operating memory Win32/Adware.Yontoo.A application
 
Joined
Apr 7, 2010
Messages
166
Hi diggets,

C:\Program Files (x86)\Yontoo Layers\YontooIEClient.dll Win32/Adware.Yontoo.A application

This is a plugin that is commonly used on FaceBoook. Lot's of people use it with no problems. ESET has flagged it as a potentialy unwanted program. If you use it no problem. If you want to remove it go here and click "How do I uninstall Yontoo Layers?"

I take it Dwarf Fortress is a game and the files are tools for the game?

How is the computer?
 

diggets

Thread Starter
Joined
Nov 7, 2011
Messages
36
the problem seems to be gone, but I have been getting frequent popup notifications saying "out of memory line 4"
 

diggets

Thread Starter
Joined
Nov 7, 2011
Messages
36
problem seems to have gone but now the audio adds are on in the background again semi randomly. I cant think of anything I did other than turn off my pc last night. on the bright side the iexplorer crashing seems completly fixed
 
Joined
Apr 7, 2010
Messages
166
Hi diggets,

Download aswMBR.exe to your desktop
.
Right click on aswMBR.exe and click "Run as Administrator"click the to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply



There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.



Please post back with
  • aswMBR log
  • mbr.zip (attached)
 

diggets

Thread Starter
Joined
Nov 7, 2011
Messages
36
tried that three times but each tim I get what I have heard called the blue screen of warning and a message saying DRIVER_IRQL_LOT_LESS_OR_EQUAL
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top