Tech Support Forum - View Single Post

brian14 · 07-03-2009, 10:41 AM

I recently received great support from this forum in cleaning my PC of a rootkit. Please see

Rootkit and Multiple problems

Today I ran a scan of a-squared Anti-Malware software and it showed me a suspicious program.

c:\program files\passware detected: Trace.Directory.BackupKey!A2
c:\program files\passware\demos detected: Trace.Directory.BackupKey!A2

I am sure, I never installed this. When I tried to delete the entry it could not and asked me to consult the a-squared forums to get help on this. Since I got outstanding help here..I just wanted to check here on TSF if this indeed is a threat and in some way related to my recent rootkit infection. I have attached a log from a-squared.

Thanks!!

a-squared Anti-Malware - Version 4.5
Last update: 7/3/2009 1:29:34 AM

Scan settings:

Scan type: Quick Scan
Objects: Memory, Traces, Cookies
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 7/3/2009 11:22:54 AM

c:\program files\passware detected: Trace.Directory.BackupKey!A2
c:\program files\passware\demos detected: Trace.Directory.BackupKey!A2
c:\program files\amazon detected: Trace.Directory.Berm.Amazon Toolbar!A2
c:\program files\passware\demos\pk.chm detected: Trace.File.BackupKey!A2
c:\program files\passware\demos\dict.txt detected: Trace.File.Office Key 7.0!A2
Value: HKEY_USERS\S-1-5-21-823518204-1563985344-725345543-1003\Software\Passware\common\8 --> general detected: Trace.Registry.Money Password Recovery Key!A2
C:\Documents and Settings\Matrix\Cookies\Matrix@247realmedia[1].txt detected: Trace.TrackingCookie.247realmedia!A2
C:\Documents and Settings\Matrix\Cookies\Matrix@247realmedia[3].txt detected: Trace.TrackingCookie.247realmedia!A2
C:\Documents and Settings\Matrix\Cookies\Matrix@2o7[2].txt detected: Trace.TrackingCookie.2o7!A2
C:\Documents and Settings\Matrix\Cookies\Matrix@adserver.adtechus[1].txt detected: Trace.TrackingCookie.adserv!A2
C:\Documents and Settings\Matrix\Cookies\Matrix@adserver.adtechus[2].txt detected: Trace.TrackingCookie.adserv!A2
C:\Documents and Settings\Matrix\Cookies\Matrix@questionmarket[2].txt detected: Trace.TrackingCookie.questionmarket!A2
C:\Documents and Settings\Matrix\Cookies\Matrix@specificclick[2].txt detected: Trace.TrackingCookie.specificclick!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1245723627671875 detected: Trace.TrackingCookie.webtrends!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1245723628046875 detected: Trace.TrackingCookie.webtrends!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246120403156250 detected: Trace.TrackingCookie.dealtime!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246136342921876 detected: Trace.TrackingCookie.zedo!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246136344281250 detected: Trace.TrackingCookie.zedo!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246159644453130 detected: Trace.TrackingCookie.link!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246200577562500 detected: Trace.TrackingCookie.webtrends!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246200609390626 detected: Trace.TrackingCookie.webtrends!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246200665421875 detected: Trace.TrackingCookie.webtrends!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246200684140625 detected: Trace.TrackingCookie.webtrends!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246200731703126 detected: Trace.TrackingCookie.webtrends!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246203863984376 detected: Trace.TrackingCookie.count!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246321203890625 detected: Trace.TrackingCookie.count!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246385289768850 detected: Trace.TrackingCookie.link!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246385384596976 detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246385384596978 detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246405140284472 detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246405493034472 detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246544937000004 detected: Trace.TrackingCookie.count!A2
C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246544937000007 detected: Trace.TrackingCookie.dealtime!A2

Scanned

Files: 2881
Traces: 667059
Cookies: 858
Processes: 61

Found

Files: 0
Traces: 6
Cookies: 29
Processes: 0
Registry keys: 0

Scan end: 7/3/2009 11:25:15 AM
Scan time: 0:02:21

07-03-2009, 10:41 AM	#1 (permalink)
brian14 Registered User Join Date: Jun 2009 Posts: 9 OS: Win Xp SP2	passware installed without knowledge I recently received great support from this forum in cleaning my PC of a rootkit. Please see Rootkit and Multiple problems Today I ran a scan of a-squared Anti-Malware software and it showed me a suspicious program. c:\program files\passware detected: Trace.Directory.BackupKey!A2 c:\program files\passware\demos detected: Trace.Directory.BackupKey!A2 I am sure, I never installed this. When I tried to delete the entry it could not and asked me to consult the a-squared forums to get help on this. Since I got outstanding help here..I just wanted to check here on TSF if this indeed is a threat and in some way related to my recent rootkit infection. I have attached a log from a-squared. Thanks!! a-squared Anti-Malware - Version 4.5 Last update: 7/3/2009 1:29:34 AM Scan settings: Scan type: Quick Scan Objects: Memory, Traces, Cookies Scan archives: On Heuristics: Off ADS Scan: On Scan start: 7/3/2009 11:22:54 AM c:\program files\passware detected: Trace.Directory.BackupKey!A2 c:\program files\passware\demos detected: Trace.Directory.BackupKey!A2 c:\program files\amazon detected: Trace.Directory.Berm.Amazon Toolbar!A2 c:\program files\passware\demos\pk.chm detected: Trace.File.BackupKey!A2 c:\program files\passware\demos\dict.txt detected: Trace.File.Office Key 7.0!A2 Value: HKEY_USERS\S-1-5-21-823518204-1563985344-725345543-1003\Software\Passware\common\8 --> general detected: Trace.Registry.Money Password Recovery Key!A2 C:\Documents and Settings\Matrix\Cookies\Matrix@247realmedia[1].txt detected: Trace.TrackingCookie.247realmedia!A2 C:\Documents and Settings\Matrix\Cookies\Matrix@247realmedia[3].txt detected: Trace.TrackingCookie.247realmedia!A2 C:\Documents and Settings\Matrix\Cookies\Matrix@2o7[2].txt detected: Trace.TrackingCookie.2o7!A2 C:\Documents and Settings\Matrix\Cookies\Matrix@adserver.adtechus[1].txt detected: Trace.TrackingCookie.adserv!A2 C:\Documents and Settings\Matrix\Cookies\Matrix@adserver.adtechus[2].txt detected: Trace.TrackingCookie.adserv!A2 C:\Documents and Settings\Matrix\Cookies\Matrix@questionmarket[2].txt detected: Trace.TrackingCookie.questionmarket!A2 C:\Documents and Settings\Matrix\Cookies\Matrix@specificclick[2].txt detected: Trace.TrackingCookie.specificclick!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1245723627671875 detected: Trace.TrackingCookie.webtrends!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1245723628046875 detected: Trace.TrackingCookie.webtrends!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246120403156250 detected: Trace.TrackingCookie.dealtime!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246136342921876 detected: Trace.TrackingCookie.zedo!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246136344281250 detected: Trace.TrackingCookie.zedo!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246159644453130 detected: Trace.TrackingCookie.link!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246200577562500 detected: Trace.TrackingCookie.webtrends!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246200609390626 detected: Trace.TrackingCookie.webtrends!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246200665421875 detected: Trace.TrackingCookie.webtrends!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246200684140625 detected: Trace.TrackingCookie.webtrends!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246200731703126 detected: Trace.TrackingCookie.webtrends!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246203863984376 detected: Trace.TrackingCookie.count!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246321203890625 detected: Trace.TrackingCookie.count!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246385289768850 detected: Trace.TrackingCookie.link!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246385384596976 detected: Trace.TrackingCookie.com!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246385384596978 detected: Trace.TrackingCookie.com!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246405140284472 detected: Trace.TrackingCookie.com!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246405493034472 detected: Trace.TrackingCookie.com!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246544937000004 detected: Trace.TrackingCookie.count!A2 C:\Documents and Settings\Matrix\Application Data\Mozilla\Firefox\Profiles\ynnzhs7y.default\cookies.sqlite:1246544937000007 detected: Trace.TrackingCookie.dealtime!A2 Scanned Files: 2881 Traces: 667059 Cookies: 858 Processes: 61 Found Files: 0 Traces: 6 Cookies: 29 Processes: 0 Registry keys: 0 Scan end: 7/3/2009 11:25:15 AM Scan time: 0:02:21