Jump to content


Photo
- - - - -

Rootkit removal


  • This topic is locked This topic is locked
8 replies to this topic

#1 Margriet_

Margriet_

    New Member

  • Members
  • Pip
  • 7 posts
  • OS:Windows 7
  • AV:Emsisoft Anti-Malware, Norton 360
  • HIPS:Windows Firewall
  • Other:Spybot S&D

Posted 10 January 2012 - 09:30 AM

Dear sir/madam,

Last week (January 4th), my regular Emsisoft Anti-Marware scanner has detected a rootkit, that could not be removed or quarantined. This week, Emsisoft claimed that no scans had been run for the last month.
I've found a rootkit again, with the Emsisoft Emergency Kit. Since the Emsisoft Anti-Malware logfile from last week has disappeared, I'm not 100% certain that it's the same rootkit.
Also since last week, Norton regularly mentions that I'm using RadioWMPCoreGecko9.dll, while I'm on internet. However, I do not know this file and I wasn't using a radio.
Apart from that, my wireless connection is not working anymore since today (I'm using a cable now).

Could you please advise me on how to remove this rootkit?

With kind regards,
Margriet

#2 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 11647 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 11 January 2012 - 01:07 AM

C:\WINDOWS\PEV.exe 	Ontdekt: Win32.Rootkit!IK
This is a Flase Postive detection, PEV.exe is part of ComboFix.

The installed version of Firefox on this compter is out-dated. Install the current version of FireFox from: Mozilla Firefox

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 30 or JRE 7 Update 2 if Firefox 5.0 or higher is installed.
  • Click the "Download JRE" button to the right.
  • Accept the license agreement.
  • Click on the download link for your system and save it to your desktop.
    Windows x86 Offline (jre-6u30-windows-i586.exe) or Windows x86 Offline (jre-7u2-windows-i586.exe) if Firefox 5.0 or higher is installed
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")
The installed version of Adobe Reader on this computer is out-dated. Install the latest version of Adobe Reader available from Adobe.

The installed version of Adobe Flash Player ActiveX control on this computer is out-dated. Using Internet Explorer, install the latest version of Adobe Flash Player ActiveX available from Adobe.

Using Add or Remove Programs in the Control Panel; uninstall the following:
Java(TM) 6 Update 29

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O2 - BHO: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll File not found
    O3 - HKLM\..\Toolbar: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll File not found
    O4 - Startup: C:\Documents and Settings\Margriet\Start Menu\Programs\Startup\Product Registration.lnk =  File not found
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [2011-05-18 19:19:21 | 000,000,004 | ---- | C] () -- C:\WINDOWS\2706531.dat
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#3 Margriet_

Margriet_

    New Member

  • Members
  • Pip
  • 7 posts
  • OS:Windows 7
  • AV:Emsisoft Anti-Malware, Norton 360
  • HIPS:Windows Firewall
  • Other:Spybot S&D

Posted 13 January 2012 - 10:03 AM

Dear ShadowPuterDude,

Great! Thanks a lot.
My computer seems to be running normally, except that RadioWMPCoreGecko9.dll was still mentioned regularly when I downloaded the things you mentioned.
Emsisoft protested that a backdoor was being made while I tried to install Adobe Reader and Adobe Flash.
The OTL log is in the attachment.

With kind regards,
Margriet

#4 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 11647 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 13 January 2012 - 11:32 PM

The OTL fix did not run properly. Download OTLfix.txt, attached below. Open with notepad and copy & paste the fix to OTL and run the fix.
Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#5 Margriet_

Margriet_

    New Member

  • Members
  • Pip
  • 7 posts
  • OS:Windows 7
  • AV:Emsisoft Anti-Malware, Norton 360
  • HIPS:Windows Firewall
  • Other:Spybot S&D

Posted 15 January 2012 - 09:12 PM

Dear ShadowPuterDude,

Thank you. I've done what you said and the new log is in the attachment.

With kind regards,
Margriet

#6 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 11647 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 15 January 2012 - 11:01 PM

How are things running?
Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#7 Margriet_

Margriet_

    New Member

  • Members
  • Pip
  • 7 posts
  • OS:Windows 7
  • AV:Emsisoft Anti-Malware, Norton 360
  • HIPS:Windows Firewall
  • Other:Spybot S&D

Posted 18 January 2012 - 11:16 AM

Thinks are running well, thanks! I only still get the RadioWMPCoreGecko9.dll notice, but the rest is working well.

#8 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 11647 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 19 January 2012 - 12:05 AM

I only still get the RadioWMPCoreGecko9.dll notice, but the rest is working well.

That was most likely installed by a toolbar. Very like the, PsychoWerk Community Toolbar, which is a Conduit Toolbar by Conduit Ltd.. Uninstall the toobar from Firefox.
Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#9 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 11647 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 22 January 2012 - 01:03 AM

Thread Closed

Reason:
Lack of Response

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.
Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users