8 replies to this topic

[Margriet_]

Dear sir/madam,

Last week (January 4th), my regular Emsisoft Anti-Marware scanner has detected a rootkit, that could not be removed or quarantined. This week, Emsisoft claimed that no scans had been run for the last month.
I've found a rootkit again, with the Emsisoft Emergency Kit. Since the Emsisoft Anti-Malware logfile from last week has disappeared, I'm not 100% certain that it's the same rootkit.
Also since last week, Norton regularly mentions that I'm using RadioWMPCoreGecko9.dll, while I'm on internet. However, I do not know this file and I wasn't using a radio.
Apart from that, my wireless connection is not working anymore since today (I'm using a cable now).

Could you please advise me on how to remove this rootkit?

With kind regards,
Margriet

Attached Files

•  OTL.Txt   47.8K   55 downloads
•  Extras.Txt   35.38K   48 downloads
•  a2scan_120109-170238.txt   2.04K   44 downloads

[ShadowPuterDude]

C:\WINDOWS\PEV.exe 	Ontdekt: Win32.Rootkit!IK

This is a Flase Postive detection, PEV.exe is part of ComboFix.

The installed version of Firefox on this compter is out-dated. Install the current version of FireFox from: Mozilla Firefox

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 30 or JRE 7 Update 2 if Firefox 5.0 or higher is installed.
• Click the "Download JRE" button to the right.
• Accept the license agreement.
• Click on the download link for your system and save it to your desktop.
  Windows x86 Offline (jre-6u30-windows-i586.exe) or Windows x86 Offline (jre-7u2-windows-i586.exe) if Firefox 5.0 or higher is installed
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")

The installed version of Adobe Reader on this computer is out-dated. Install the latest version of Adobe Reader available from Adobe.

The installed version of Adobe Flash Player ActiveX control on this computer is out-dated. Using Internet Explorer, install the latest version of Adobe Flash Player ActiveX available from Adobe.

Using Add or Remove Programs in the Control Panel; uninstall the following:

Java(TM) 6 Update 29

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  

  :OTLO2 - BHO: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll File not foundO3 - HKLM\..\Toolbar: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll File not foundO4 - Startup: C:\Documents and Settings\Margriet\Start Menu\Programs\Startup\Product Registration.lnk =  File not found[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ][1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ][2011-05-18 19:19:21 | 000,000,004 | ---- | C] () -- C:\WINDOWS\2706531.dat:Commands[Purity][EmptyTemp][EmptyFlash][EmptyJava][Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[Margriet_]

Dear ShadowPuterDude,

Great! Thanks a lot.
My computer seems to be running normally, except that RadioWMPCoreGecko9.dll was still mentioned regularly when I downloaded the things you mentioned.
Emsisoft protested that a backdoor was being made while I tried to install Adobe Reader and Adobe Flash.
The OTL log is in the attachment.

With kind regards,
Margriet

Attached Files

•  01132012_094949.log   5.47K   21 downloads

[ShadowPuterDude]

The OTL fix did not run properly. Download OTLfix.txt, attached below. Open with notepad and copy & paste the fix to OTL and run the fix.

Attached Files

•  OTLfix.txt   703bytes   29 downloads

[Margriet_]

Dear ShadowPuterDude,

Thank you. I've done what you said and the new log is in the attachment.

With kind regards,
Margriet

Attached Files

•  01152012_210637.log   5.13K   20 downloads

[ShadowPuterDude]

How are things running?

[Margriet_]

Thinks are running well, thanks! I only still get the RadioWMPCoreGecko9.dll notice, but the rest is working well.

[ShadowPuterDude]

I only still get the RadioWMPCoreGecko9.dll notice, but the rest is working well.

That was most likely installed by a toolbar. Very like the, PsychoWerk Community Toolbar, which is a Conduit Toolbar by Conduit Ltd.. Uninstall the toobar from Firefox.

[ShadowPuterDude]

Thread Closed

Reason: Lack of Response

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.