Jump to content


Photo
- - - - -

Rootkit Trojan Can't be Automatically Removed


  • This topic is locked This topic is locked
12 replies to this topic

#1 tckqbq

tckqbq

    New Member

  • Members
  • Pip
  • 6 posts
  • OS:Windows XP
  • AV:McAfee
  • Other:malwarebytes ad aware

Posted 14 February 2012 - 08:15 PM

Here are the reports.

Also, received error report that C:\$mft is corrupt

#2 GT500

GT500

    Emsisoft Support

  • Emsisoft Employee
  • 3174 posts
  • LocationFortville, IN, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • Other:Malwarebytes Anti-Malware 2.x Beta

Posted 14 February 2012 - 08:24 PM

Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1
Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Best regards,

Arthur Wilkinson [Support/Quality Assurance]
Emsisoft Team - www.emsisoft.com

#3 tckqbq

tckqbq

    New Member

  • Members
  • Pip
  • 6 posts
  • OS:Windows XP
  • AV:McAfee
  • Other:malwarebytes ad aware

Posted 15 February 2012 - 04:43 PM

ComboFixtook hours to run, and there were numerous error messages, including that the system could not find the file NIRKMD,and numerous files were corrupt and unreadable.

It finally came to the window stating that a report was being prepared,but then it froze and no report was created.

#4 GT500

GT500

    Emsisoft Support

  • Emsisoft Employee
  • 3174 posts
  • LocationFortville, IN, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • Other:Malwarebytes Anti-Malware 2.x Beta

Posted 15 February 2012 - 04:55 PM

Did you turn off your anti-virus software before running ComboFix? Most anti-virus software will prevent ComboFix from running properly.

Since ComboFix had issues, go ahead and follow the instructions at this link for running TDSSKiller, and remove anything it finds. Let me know if it detected anything.
Best regards,

Arthur Wilkinson [Support/Quality Assurance]
Emsisoft Team - www.emsisoft.com

#5 tckqbq

tckqbq

    New Member

  • Members
  • Pip
  • 6 posts
  • OS:Windows XP
  • AV:McAfee
  • Other:malwarebytes ad aware

Posted 15 February 2012 - 05:48 PM

Anti-virus was turned off, however I believe McAfee may have come back on after ComboFix rebooted the system. Should I run it again?

I did get a message that rootkit.ZeroAccess had inserted itself into the tcp/ip stack, and also that rootkit was detected.

I will run TDSSKiller.

#6 GT500

GT500

    Emsisoft Support

  • Emsisoft Employee
  • 3174 posts
  • LocationFortville, IN, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • Other:Malwarebytes Anti-Malware 2.x Beta

Posted 15 February 2012 - 06:02 PM

Run TDSSKiller first. We can run ComboFix after it is done. ZeroAccess could be the reason why ComboFix couldn't finish.
Best regards,

Arthur Wilkinson [Support/Quality Assurance]
Emsisoft Team - www.emsisoft.com

#7 tckqbq

tckqbq

    New Member

  • Members
  • Pip
  • 6 posts
  • OS:Windows XP
  • AV:McAfee
  • Other:malwarebytes ad aware

Posted 15 February 2012 - 07:02 PM

TDSSKiller found IPSec: virus.Winn32.ZAccess.c

#8 GT500

GT500

    Emsisoft Support

  • Emsisoft Employee
  • 3174 posts
  • LocationFortville, IN, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • Other:Malwarebytes Anti-Malware 2.x Beta

Posted 15 February 2012 - 07:04 PM

OK, go ahead and disable McAfee, and then try running ComboFix again.
Best regards,

Arthur Wilkinson [Support/Quality Assurance]
Emsisoft Team - www.emsisoft.com

#9 tckqbq

tckqbq

    New Member

  • Members
  • Pip
  • 6 posts
  • OS:Windows XP
  • AV:McAfee
  • Other:malwarebytes ad aware

Posted 16 February 2012 - 12:51 AM

As I received numerous messages that I needed to run chkdsk, I ran chkdsk. The disk was cleaned up, and now it won't boot past the message that says the disk is clean.

#10 GT500

GT500

    Emsisoft Support

  • Emsisoft Employee
  • 3174 posts
  • LocationFortville, IN, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • Other:Malwarebytes Anti-Malware 2.x Beta

Posted 16 February 2012 - 04:12 PM

Was it able to boot before running a chkdsk?

Do you have a Windows XP CD (or at least an ISO image of a Windows XP CD)? You should be able to recover your computer with a UBCD4Win disk, but you need a Windows XP disk (or possibly a Windows 2003 disk) in order to build a UBCD4Win disk.
Best regards,

Arthur Wilkinson [Support/Quality Assurance]
Emsisoft Team - www.emsisoft.com

#11 tckqbq

tckqbq

    New Member

  • Members
  • Pip
  • 6 posts
  • OS:Windows XP
  • AV:McAfee
  • Other:malwarebytes ad aware

Posted 16 February 2012 - 08:26 PM

It was able to boot before running chkdsk.

I do have a XP CD

#12 GT500

GT500

    Emsisoft Support

  • Emsisoft Employee
  • 3174 posts
  • LocationFortville, IN, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • Other:Malwarebytes Anti-Malware 2.x Beta

Posted 16 February 2012 - 09:10 PM

OK, here is a link to instructions on how to build a UBCD4Win disk. Note that you will need a blank CD and a CD burner so that you can burn the ISO image to a disk. Let me know if you need any help with that part.

Once you have created a UBCD4Win disk, you will need to start your computer up off of it. When you first turn your computer on, there should be a button on your keyboard that you can press to open what is usually called the "Boot Menu". Your computer will tell you what button to press. Most will say it in one of the corners of the screen, and Toshibas will have it below the Tohiba logo in the middle. Once you get the Boot Menu open, select your CD or DVD drive, make sure the UBCD4Win disk is in the drive, and press Enter on your keyboard.

Before starting up, you will be presented with a menu of options. Make sure that Launch "The Ultimate Boot CD For Windows" is selected (it should be highlighted in black) and then press Enter. If you don't do anything, then it should start automatically after 20 or 30 seconds.

It make take several minutes to start up, since it is essentially loading a Windows environment off of a CD. Once it is done, you will see a Windows XP desktop (if you see any options as it is starting up, then you can ignore them, and it will continue loading after a few seconds).

Once the desktop starts to load, it will ask you if you want to start network support. You can tell it No unless you want to pull up the instructions on the Internet, or unless you feel you will need Internet access at any point during the process.

There is an icon on the desktop for EZPCFix, however when I click on it I get an error message, so I assume that it won't work for you either (it probably needed a plugin to be enabled in order to work properly).

Go ahead and click on the Start button, go to Programs, go to Disk Tools, go to Diagnostic, and go to Check Disk. In the window that pops up, type in the letter of the drive you want to scan, such as C: and then press Enter on your keyboard. You can answer n for 'no' to the question about scanning for bad sectors. Make sure you answer y for 'yes' to the question about fixing errors. And then confirm y for 'yes' if you entered everything correctly. It will begin a check of your hard drive, and fix anything that is wrong with the filesystem.

If that does not work, then please let me know, and we can go from there.
Best regards,

Arthur Wilkinson [Support/Quality Assurance]
Emsisoft Team - www.emsisoft.com

#13 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 11647 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Online Armor
  • Other:WinPatrol Plus

Posted 20 February 2012 - 04:01 AM

Thread Closed

Reason:
Lack of Response

PM either ShadowPuterDude, or GT500 to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.
Kevin Zoll [Customer Support]
Emsisoft Team - www.emsisoft.com
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Messege (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users