need to find infected files

[bartholimew]

Norton 360 reports packed generic 200 infection. I did follow another thread with the sme infection but I elieve the infected files are located in a different place for me.

Norton identified the following dll as the culprits.

globalroot\systemroot\system32\uacbfvdkxfnktnwrm.dll

I did a search of all including hidden folders and files and even a partial string did not show up

where is this directory

sidenote: If I pay 150.00 norton will log a guy onto my computer from a call centre and clean this, yet they cant bot this into their software hmm.
Also Norton 360 reports virtual doctor as a dangerous site with 30 active threats....thats odd...anyways please help with this generic200

[HAN]

Also Norton 360 reports virtual doctor as a dangerous site with 30 active threats....thats odd

Some others will respond to help you get cleaned up. The reason 360 picked items here is because of the HiJack This logs and such that are posted here. These items list lots of nasty stuff and Norton is not doing more than a cursory glance to see what is really going on. Bottom line is that I've never had anything negative happen during my travels here and it's past 7 years now...

[Broni]

uacbfvdkxfnktnwrm.dll is a rootkit.
Travel to our HJT section, and post required logs.

[SirKenin]

That, my friend, looks like Rustok or other variant of an "API hook" (API stands for "Application Program Interface"). The reason you won't find it, nor will anyone else here with the standard cookie cutter removal process, is because the file is invisible to the Windows API. In other words, chances are far better than average that HJT isn't going to find it and/or won't be able to touch it either and you CERTAINLY won't find it in "My Computer" while the drive is in the computer.

If you want to learn why, learn about kernel-mode API hooks. That's not something they teach you in "Forum Malware Removal 101"

You certainly won't be getting rid of it with standard procedure. Rustok is a bugger and it's designed to thwart the generic, cookie-cutter removal process (if you don't believe me, head over to bleeping computer and notice how they tell people to run MBAM and SmitfraudFix 10 times and the poster keeps saying "it's still there, it's still there").

I've dealt with Rustok and other kernel-mode API hooks personally, hands on, quite frequently lately.. I know for a fact that Malwarebytes, Snorton, etc. will not get rid of it.

Best way to get rid of stuff like that (well, easiest way) is to pull the drive out, put it on another computer that has Superantispyware installed and do a full drive scan. Pulling it out of the computer renders the protection mechanisms inoperable, allowing for an easier killage.

Option # 2 is to download a nice little program called SDFix. All the information you need about it is here. Run it in safe mode, let it sniff out the rootkit. Sometimes it will trap it, sometimes it won't.

From there you can deal with the other infections. There will be others, guaranteed.. But it's pointless dealing with them until you've dealt with this one, because you'll be caught running around in circles....and if you don't do it properly, you'll be reinfected again in a week.

There are other ways of doing it, but they're more complex. It really helps if you understand and know how to do hook analysis.

[crunchie]

SDFix has not been updated since November of last year. It may find something wrong there, but you would be well advised to follow Broni's advice. He will point you to more up-to-date utilities.

[SirKenin]

It doesn't need to be updated to find a rootkit. In a worst case scenario, it will confirm rootkit activity. Nonetheless, I've personally confirmed that Superantispyware running on another machine will delete these threats (it is an added plus having a good antivirus resident shield running at the same time), plus many others, after which time the standard "HJT, Malwarebytes, Combofix, rinse, repeat" method can be implemented.

[crunchie]

It doesn't need to be updated to find a rootkit. It makes good use of the "catchme" utility. In a worst case scenario, it will confirm rootkit activity.

Be that as it may, there are other (updated) tools that detect rootkits, combofix amongst them (which runs catchme also), that should be used, not outdated ones with outdated databases.

[SirKenin]

Ummm. Yeah.

See, that's why there are two types of geeks in this world. Those that have "paper smarts".. Typically the ones "trained" on forums (I saw one that claimed they were a real tech, but darn it all if there was ANY proof of that in ANYTHING they actually said).. And those that actually have experience.

Experience tells us that Combofix doesn't deal well with Rustok and some similar kernel-hooked rootkits very well, if at all. We know this, because we have hands on experience. We've tried it. We deal with infections (many very serious) every day, and we get paid the big bucks because people have already taken it to the paper smarts geeks that simply either a) buggered up their PC (I watched one such "trained" geek in another forum absolutely demolish someones hard drive to the point that it wouldn't boot anymore..twice) or b) didn't do the job properly, following the "script" so that the computer was reinfected again within days.

Paper smarts tell us "it SHOULD work...that's how we were 'trained'" while a frustrated user goes "but it's STILL there!!".

Of course moving this into the Hijack This forum means that others can't help, despite the fact they may have far superior skills and experience.

Well, whatever. The instructions are there. It's up to the user to decide how to proceed.

[fink]

Of course moving this into the Hijack This forum means that others can't help, despite the fact they may have far superior skills and experience.

It allows our malware experts, one of which is Broni, to work without having to explain his every move and argue with those who don't get what he's doing. We have a big enough workload here, for which we offer our time for free, so the easier we can make it the better for everyone.

In any case bartholemew's thread has been thrown off topic enough. Let's allow Broni to assist and we'll all watch and learn.

[crunchie]

Just to clarify something though SirKenin, you advised running sdfix because it has the Catchme feature.
Combofix has this feature too, yet you argue against it's use??
I don't understand some ppl.

[lgbpop]

Just to clarify something though SirKenin, you advised running sdfix because it has the Catchme feature.
Combofix has this feature too, yet you argue against it's use??
I don't understand some ppl.

Never mind. He can't hear you over the sound of how great he is.

[SirKenin]

In any case bartholemew's thread has been thrown off topic enough. Let's allow Broni to assist and we'll all watch and learn.

The unknown variable here is WHAT we'll learn..

Never mind. He can't hear you over the sound of how great he is.

...so far I'm learning that you're reading comprehension is about as bad as your technical abilities.

Now. Fink has spoken. Shut the hell up and let this thread take it's proper course.

[crunchie]

Now. Fink has spoken. Shut the hell up and let this thread take it's proper course.

Everyone has the right to voice their opinion here. No-one has the right to be rude to other members.
You are walking a thin line, so take this as a friendly warning. Stop putting down (criticising) hard working members of the community here and start doing something constructive.
If you have nothing good to say, say nothing.

[SirKenin]

Sorry. Let's get this straight. I offered constructive advice. I offered tools and techniques. All I've done in the last week is help people, and actually got it right every single time, unlike some of the "hard working members of the community".

You question them, denegrate them, but offer nothing of your own than the same old, same old that I know for a fact doesn't work and have stated why from personal, real life experience hands on.

lgbpop insults me.

And you're going to attack my post? After I actually listened to Fink and didn't respond to your bait?

Okkkkkkkk...

Anyways, duly noted. Carry on.

[crunchie]

Sorry OP. Taking this to PM.