25 replies to this topic

[lowie]

The Kaspersky, TDS killer scan did not find anything. I still don't know how to remove this. Do you have other solutions. Can you please tell me if this rootkit is dangerous to my pc (XP and 7)?

regards, Lowie

 a2scan_120204-140924.txt   824bytes   31 downloads
 Extras.Txt   61.15K   23 downloads
 OTL.Txt   101.5K   24 downloads
 TDSSKiller.2.7.9.0_04.02.2012_13.47.12_log.txt   65.54K   32 downloads

[ShadowPuterDude]

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1
Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  See HERE for help
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

• ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[lowie]

 ComboFix.txt   20.96K   28 downloads

Hello, I did everything you suggested and this log is the rusult.
How will I hear from you again?

best wishes and thanks, Lowie

[ShadowPuterDude]

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

• Download the latest version of JRE 7 Update 2.
  
• Click the "Download JRE" button to the right.
  
• Accept the license agreement.
  
• Click on the download link for your system and save it to your desktop.
  Windows x86 Offline (jre-7u2-windows-i586.exe)
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java version.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")

The installed version of Adobe Reader on this computer is out-dated. Install the latest version of Adobe Reader available from Adobe.

Using Add or Remove Programs in the Control Panel; uninstall the following:

Java(TM) 6 Update 26
J2SE Runtime Environment 5.0 Update 6

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  

  :OTL
  O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
  O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Status Monitor.lnk =  File not found
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O8 - Extra context menu item: &Block This Image (ABP) - C:\Program Files\Adblock Pro\blockimg.html File not found
  O8 - Extra context menu item: Save YouTube Video as MP3 - Reg Error: Value error. File not found
  O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No CLSID value found.
  [2012-02-04 14:35:01 | 000,000,466 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
  [2012-02-04 14:00:04 | 000,000,466 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
  [2012-02-04 13:59:45 | 000,018,432 | -H-- | M] () -- C:\logicinf.bin
  [2012-02-04 13:17:42 | 000,000,342 | ---- | M] () -- C:\win32log.ini
  [2012-01-21 20:40:00 | 000,000,466 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
  [2012-01-16 10:10:00 | 000,000,466 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
  [2012-01-11 15:43:35 | 000,001,468 | ---- | M] () -- C:\Documents and Settings\lowie teunis\Bureaublad\rundll32.lnk 
  @Alternate Data Stream - 266 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2B11E0DF
  @Alternate Data Stream - 163 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:264B2CC4
  @Alternate Data Stream - 153 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:07BF512B
  @Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CD060F93
  @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
  @Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
  
  :Commands
  [Purity]
  [EmptyTemp]
  [EmptyFlash]
  [EmptyJava]
  [ResetHosts]
  [Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
  
• Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[lowie]

hello, there was no java 7. I went from java 6.26 to java 6.30

 02082012_160349 febr. 8.txt   11.49K   16 downloads

[lowie]

hello again, the trouble I am experiencing that I can not download two or more music http's that belong together and need eachother for the output. Video http's goes allright.
One goes alright but two give only CRS failures or corrupted files or wrong password...

[ShadowPuterDude]

lowie, on 08 February 2012 - 04:17 PM, said:

hello, there was no java 7. I went from java 6.26 to java 6.30

Yes there is, Java 7 has been out for several months. Did go to the Oracle link I provided?

Download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
    
  • Security Center
    
  • Windows Update
• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please attach the log to your reply.

[lowie]

 FSS.txt   3.49K   17 downloads

hello again, I must have overseen Java 7. I have it now installed. Thanks for all your help. The FSS text file is attached.

Lowie

[ShadowPuterDude]

Services appear to be OK.

Download Windows Repair by Tweaking.com to your desktop. Use the direct download link for the Portable version of Windows Repair by Tweaking.com

• Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
  
• Now open this folder and double-click Repair_Windows.exe.
  
• Click the Start Repairs tab on the far right.
  
• Click Custom Mode so there is a bullet in it.
  
• Click the Start button (bottom right)
  Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
  
• Click Unselect All
  
• Put a checkmark in the following items:
  
  • Reset Registry Permissions
    
  • Reset File Permissions
    
  • Remove Policies Set By Infections
    
  • Repair Proxy Settings
  Note: Leave everything else unchecked
  
• Put a checkmark in Restart System When Finished
  
• Now click the Start button (bottom right)

Still having problems?

[lowie]

hello, I did exactly as you said but the rootkit is still there on my XP. I also have a laptop 7x64 with the same problem.
Thank you again for helping me. Is there anything else I can do.

Thanks again, Lowie

[lowie]

hello again, yesterday I burned a dvd on my laptop with Nero and that went allright, so it does not influence Nero. I don't use the laptop that much; my main computer is the XP pc.

regards,
Lowie

[ShadowPuterDude]

A Heuristic detection does not necessarily mean that an infection is present.

Let's see what yo have for Partitions.

Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

[lowie]

hello, hope you can do something with this.

Around the time I got the rootkit I also got a big A on my Yahoo toolbar. I went to edit toolbar but could not find it to delete it ( A few days before I had looked at Amazonsites and that is the A.)
And then my laptop got infected too but with no big A on the Yahootoolbar, just the rootkit.
Any thoughts on this?
Thanks for your help.

[ShadowPuterDude]

Disk Management reports 4 partitions on drive 0, your TDSSKiller log from earlier shows 3 partitions on drive 0.

The last partition is Drive J and is set as the active partition, which is not the way things should be. Acers come with 3 partitions, PQSERVICE, Drive C, and Drive D. PQSERVICE is the hidden Acer restore partition and Drive C should be set as the active partition.

Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB)

Create a bootable CD from the GParted Live CD ISO image. You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.


You should be here...
Press ENTER


By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.


Choose your language and press ENTER. English is default [33]


Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below

According to the Disk Management screen shot, the partition that you want to delete is 4.34 GB and should be the last partition on the drive.
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:


Now you should be here:



Is "boot" next to your OS drive?

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

This should be the second partition on the drive labeled as ACER, which is Drive C.

In the menu that pops up, place a checkmark in boot like the picture below:


Now double-click the button.

You should receive a small pop up like this:

Choose reboot and then press OK.

Get a fresh screenshot from Disk Management.

[lowie]

I did have a second hard disk put in (K) does this influence your answer above?

[lowie]

Will I loose files on drive D ?

[ShadowPuterDude]

You will not loose the files on D, the only thing you are doing is removing the 4th partition on PhysicalDrive0, which is the first HDD in the system, and making Drive C the active or boot partition on PhysicalDrive0.

Drive K is PhysicalDrive1, which will not be effected.

[lowie]

Could you please explain to me how to make an iso disk witht imgburn. I tried to and now have a disk with several maps like [boot] .disk EFI isolinux live syslinux utils, and two files: COPYING and Gpartedli..
Shouldn't it start by itself?

[ShadowPuterDude]

You can not use the CD in Windows. You have to boot from the CD, as in start your system with the CD in the CD drive. If your CD Drive is not set as the first boot device in BIOS then you will need to change the boot order in BIOS at system start.

[lowie]

I am very nervous about all this. Will this remove my rootkit. I am not a computer expert and afraid to ruin something.

[lowie]

Did it anyway, restarted my XP, puches F12 and choose: start up from cd-rom and pushed enter. Nothing happened: just Windows started up.
Have you seen the contents of my cd. It is all maps. Even the "boot" is a map. How can you startup from a bootMAP???

[ShadowPuterDude]

You must enter bios and set the CD drive to the first boot device. Using F12 to boot from the CD will not work.

[lowie]

I am sorry, I don't want to go any further, Changes have occured because of all the programs you suggested me to run and I just don't understand it anymore. I'll wait till Emsisoft Anti Malware can remove rootkits. The rootkit I have now does not seem to effect my pc. or my laptop. Thanks very much for all your help but I've got many other things to do and am not well. This is my last message.

[ShadowPuterDude]

lowie, on 16 February 2012 - 05:11 PM, said:

I am sorry, I don't want to go any further, Changes have occured because of all the programs you suggested me to run and I just don't understand it anymore. I'll wait till Emsisoft Anti Malware can remove rootkits. The rootkit I have now does not seem to effect my pc. or my laptop. Thanks very much for all your help but I've got many other things to do and am not well. This is my last message.

The tools I have you using are not making changes to the system. They are being used to specifically remove the malware present on your system.

I can not advise more strongly against continued use of an infected system, especially one that has an active RootKit. Continue to use your PC at your own peril. When your personal information and bank accounts are compromised, it will not be our fault. You were warned.

[lowie]

I can not thank you enough for your help, please believe me. That there is no result is less important than your help.

All the best wishes, Lowie

[ShadowPuterDude]

Thread Closed

Reason: Poster no longer desires to continue.

PM either ShadowPuterDude, or JeanInMontana to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.