bar

rootkit problem

Recommended Posts

Attached are results for EEK and OTL scans. I am sending these from a different computer as my computer will not let me get on your site. I do not get the security or verification text boxes. My computer is very sluggish and I get sent to strange sites on the internet. The original scan report with your malware program is also attached. Thanks, bar

Share this post


Link to post
Share on other sites

Please post a RogueKiller log by following the instructions below:

  1. Download RogueKiller from this link, and copy it to the desktop of the infected computer.
  2. Run RogueKiller (please note that if it doesn't work the first time, you can try it again several times and it may start to work):
    • On Windows XP make sure you are logged in as an administrator and double-click on the RogueKiller icon.
    • On Windows 7 and Vista simply right-click on the RogueKiller icon, and select to Run as administrator.

[*] Click the Scan button in the upper-right corner (don't worry about the rest of the options for now).

[*] In the middle, on the left, it will tell you the status. When it says Scan Finished, then please close RogueKiller. It will warn you that nothing has been deleted and ask you if you want to quit, so be sure to click the Yes button.

[*] There will be a new file and folder saved on your desktop. The folder (usually named RK_Quarantine) can be deleted. The file (usually named RKreport or RKreport[1]) contains the log.

[*] Please attach the RKreport file to a reply by using the More Reply options button to the lower-right of where you type in your reply.

Share this post


Link to post
Share on other sites

Attempted to run rogue killer several times. It does the prescan and comes up with a note status killed, type SVChost, pid 5156, name svchost.exe, path \\.\globalroot\systemroot\svchost.exe. When I run scan it finds 2 Key type HJ files then crashes as it is reading MBR. Do know if this helps. No report is generated except for the quarantine file. What should I try next?

Share this post


Link to post
Share on other sites

Please download Rkill from one of the links below (you may wish to download all 7 of them and transfer them to the infected computer):

  1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. eXplorer.exe
  5. iExplore.exe
  6. WiNlOgOn.exe
  7. uSeRiNiT.exe

The reason why there are 7 of them, each with a different name (and some of them with very funny names), is because some infections like to block security software from running. Start with the first one, and if it doesn't work then try the next one, and so on until you find one that works.

Once you get one of the Rkill downloads to work, please run it a second time to make sure that it is no longer able to find any malicious processes still running. If it finds more, run it again to make sure that Rkill was able to stop any malicious processes still running on your computer.

After running Rkill, please proceed with my previous instructions (getting the RogueKiller log), and if everything works OK then attach the log to a reply when it is done.

Share this post


Link to post
Share on other sites

Ran the many rkill programs all weekend but still could not get roguekiller to stop crashing during scan of MBR. Could not generate a log. The rkill programs showed the same results each time, even when run numerous times in succession. Also tried deleting and re-downloading roguekiller. didn't make any difference. What else can I try. Thanks

Share this post


Link to post
Share on other sites

Please get me a log from TDSSKiller by following the instructions below:

  1. Download TDSSKiller from this link and save it on your desktop.
  2. Run the TDSSKiller download that you saved.
  3. Click on Change parameters as it shows in the following screenshot:
    tdsskiller_report_001.png
  4. Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK:
    tdsskiller_report_002.png
  5. Click the Start scan button as in the following screenshot:
    tdsskiller_report_003.png
  6. You will see the following as the scan runs:
    tdsskiller_report_004.png
  7. If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip:
    tdsskiller_report_005.png
  8. Click on Report in the upper-right corner, as in the following screenshot:
    tdsskiller_report_006.png
  9. You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report.
    tdsskiller_report_007.png
  10. Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report.
    tdsskiller_report_008.png
  11. Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list.
  12. Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot:
    tdsskiller_report_009.png
  13. Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
    tdsskiller_report_010.png

Share this post


Link to post
Share on other sites

OK, there is definitely a rootkit infection. It should be removable, however I feel I should warn you that when removing some rootkits it is possible to lose your Internet connection, and in more extreme cases it could cause your computer to fail to start up.

Download the latest version of TDSSKiller from here and save it to your Desktop (I know this is somewhat redundant if you still have TDSSKiller, however they do update it from time to time).

  1. Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    tdss_1.jpg
  2. Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
    tdss_2.jpg
  3. Click the Start Scan button.
    tdss_3.jpg
  4. If a suspicious object is detected, the default action will be Skip, click on Continue.
    tdss_4.jpg
  5. If malicious objects are found, they will show in the Scan results and offer three (3) options.
  6. Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    tdss_5.jpg
  7. Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please attach that report to your next reply.

Share this post


Link to post
Share on other sites

OK, lets go ahead and move on to ComboFix. I just wanted the RogueKiller log to make sure that there wasn't a ZeroAccess infection, and that TDSSKiller has verified that ZeroAccess is not present. ;)

Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

attached is the combo fix log. I cannot get on the internet from the computer now.I get a box that says

C:\Program Files (x86)\Internet Explorer\iexplore.exe

Illegal operation attempted on a registry key that has been marked for deletion

Help

Share this post


Link to post
Share on other sites

Please follow the instructions at this link to start your computer in Safe Mode With Networking, and let me know if that helps. I'll take a look at your ComboFix log.

Share this post


Link to post
Share on other sites

I'm not seeing anything in your ComboFix log that would explain the error messages. Lets get a fresh OTL log and see if it can tell us what happened.

Please run OTL by following the instructions below:

  1. Click this link to save OTL onto your desktop (please make sure to click 'Save' instead of 'Run').
  2. Double click on the OTL icon on your desktop to run it. Make sure all other windows are closed and to let it run uninterrupted.
  3. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan will take a few minutes.
  4. When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. The first one (OTL.txt) will be automatically saved on your desktop next to OTL, and the second one will need to be saved manually.
  5. Please make sure that both OTL.txt and Extras.txt are saved on your desktop, and then attach both of them to a reply so that we can take a look at them.

Share this post


Link to post
Share on other sites

attached is otl.txt. extras never appeared so I couldnt save. I can run it again if you need it. Everything seems to be working after I did the restart. Let me know what else I need to do

Share this post


Link to post
Share on other sites

I have written a cleanup script for OTL (if you need to, you may download OTL from this link).

  1. Please copy the contents of the following CODE box, and in OTL under the Custom Scans/Fixes box at the bottom, paste in what you just copied from the following CODE box:
    :OTL
    IE - HKCU\..\URLSearchHook:  - No CLSID value found
    IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
    IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&AF=108714&babsrc=SP_ss&mntrId=3ad6c62d000000000000701a04a7fc5a
    IE - HKCU\..\SearchScopes\{35F13640-21F5-4C96-AC97-0C05689AA9C2}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ARCD&o=102810&src=kw&q={searchTerms}&locale=en_US&apn_ptnrs=8W&apn_dtid=YYYYYYSVUS&apn_uid=05512adf-0d62-4ca3-8be5-af722c7acdc9&apn_sauid=119F5D15-4550-417B-9CC4-14BFB6A0AA59
    IE - HKCU\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
    IE - HKCU\..\SearchScopes\{90E2EC71-0346-4D81-9690-11A368762396}: "URL" = http://ws.infospace.com/playsushi_tbar/ws/redir?_iceUrl=true& user_id=%userid&tool_id=60231&qkw={searchTerms}
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll File not found
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
    O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
    O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - !{98889811-442D-49dd-99D7-DC866BE87DBC} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - !{98889811-442D-49dd-99D7-DC866BE87DBC} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
    
    :Commands
    [EMPTYTEMP]


  2. Then click the Run Fix button at the top.
  3. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own).
  4. After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.

Share this post


Link to post
Share on other sites

I ran Otl and it rebooted. After booting up, an otl txt file appeared(reboototl.txt). I have attached it. Also ran quickscan and have attached that file(otl2.txt).

Share this post


Link to post
Share on other sites

From what I can see in your logs, when you copied and pasted the script into OTL it all ran together on a single line (which means that OTL was not able to read the script). May I ask what web browser you were using when you followed my instructions for the OTL script? I tested this in Internet Explorer 8 and Opera 11.62, and the script copied properly, so I'm curious as to why it didn't copy properly when you tried it.

Share this post


Link to post
Share on other sites

I'm going over the possible causes of this issue with the developer of OTL. For now, I'll just attach the script to this message, and you can try again. Download the following file, and save it on your desktop:

Now open OTL, then open the OTL_Script file, and then copy and paste the contents into OTL's Custom Scans/Fixes box. After that, click the Run Fix button to start the fix, and attach the logs just like last time.

Share this post


Link to post
Share on other sites

here are the otl reports from after reboot and after quickscan. Everything seemed to go fine this time.

Share this post


Link to post
Share on other sites

OK, that log looks a lot better. ;)

Lets move on to an online virus scan. Please run an online virus scan through ESET by following the steps below:

  1. Turn off your anti-virus software.
  2. Click on this link.
  3. Click on the ESET Online Scanner button.
  4. Put a check in the box that says YES, I accept the Terms of Use.
  5. Click the 'Start' button just to the right of the checkbox.
  6. Uncheck the box that says Remove found threats (this is very important).
  7. Click on Advanced settings.
  8. Put a check in the box that says Scan for potentially unsafe applications.
  9. Verify that Scan for potentially unwanted applications is also checked.
  10. Verify that Enable Anti-Stealth technology is also checked.
  11. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
  12. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found).
  13. Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me.
  14. Close the ESET online scan.

I will take a look at the log, and let you know if anything needs removed.

Share this post


Link to post
Share on other sites

Those detections are just backups that TDSSKiller made after repairing files. They can't harm your computer unless you restore them from the quarantine in TDSSKiller (which is something you don't want to do in this case).

Oh, BTW, we figured out why that OTL script was running together on a single line like that. It has to do with an issue that Internet Explorer 9 has on this type of forum. Fortunately there's a fix that we can apply to our forums for it.

Anyway, it looks like your computer is clean. If you run a scan with Emsisoft Anti-Malware, does it detect anything?

Share this post


Link to post
Share on other sites

It shows 10 infections but they are all located in TDSS Quarantine. I did not do anything else. Are we good?

Share this post


Link to post
Share on other sites

Yes. Here's some final instructions for you:

1. Make Sure Java is Updated:

  1. Click on the
    Start
    button.

  2. Click on
    Control Panel
    .

  3. Click
    Uninstall a program
    .

  4. Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed.

  5. Click on
    this link
    and download and install the latest Java (the
    Windows Online
    download will be faster).

2. Make Sure Adobe Flash is Updated:

  1. Click on
    this link
    and download the latest version of Adobe Flash Player for your web browser.

  2. You will need to close your web browser when installing Flash.

3. Make Sure Adobe Acrobat Reader is Updated:

  1. Click on the
    Start
    button.

  2. Click on
    Control Panel
    .

  3. Click
    Uninstall a program
    .

  4. Look for any versions of Adobe Reader or Adobe Acrobat Reader in the list (should be alphabetical), and uninstall all of them (if you have Adobe Acrobat, which is the premium software from Adobe, then you
    do not
    need to uninstall it).

  5. Click on
    this link
    to go to the Adobe Reader download page, make sure to unselect any offers for toolbars or other free software, and download and install the latest version of Adobe Reader.

(please note that some people do prefer to use third-party PDF viewers such as
PDF X-Change Viewer
and
Foxit Reader
which are not as commonly exploited as Adobe Reader, so if you would prefer to use one of those then you do not need to download and install Adobe Reader)

4. Make Sure Your Computer Has The Latest Windows Updates:

  1. Click on the
    Start
    button.

  2. Go to
    All Programs
    .

  3. Click on
    Windows Update
    .

  4. Click
    Check for updates
    in the menu on the left (should be near the top).

  5. Once it is done checking for updates, click the
    Install updates
    button on the right.

  6. Make sure that if your computer wants to restart after the updates are done, that you allow it so.

5. Web Of Trust Extension:

While this is not a requirement, I highly recommend that you click
this link
and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database.

6. Empty The System Restore:

  1. Click on the
    Start
    button.

  2. Right-click on
    Computer

  3. Select
    Properties
    from the list.

  4. In the window that pops up, click on the
    System protection
    link in the menu on the left.

  5. The buttons may not be clickable for a few moments, but once you can click on them select the drive in the list near the bottom that shows protection is on (this will usually be you
    C:
    drive) and click the
    Configure...
    button.

  6. Click the button near the bottom-right that says
    Delete
    to clear all System Restore data.

  7. Once finished, click
    OK
    to close that window.

  8. Now you will want to make sure that the correct drive is selected again (usually your
    C:
    drive) and click on the
    Create
    button to create a new restore point.

  9. Fill in a name for the restore point, and click the
    Create
    button.

  10. Once it is done, you can close the windows that were opened to get to the System Restore settings.

Share this post


Link to post
Share on other sites

You're quite welcome. ;)

Since everything seems OK, I am going to go ahead and close this topic.

Note: The instructions in this forum topic have been customized based on the logs posted by the person asking for assistance. Please do not attempt to follow any of the instructions in this forum topic, as they could cause damage to your computer. If you require assistance, please start here if you believe your computer is infected, and one of our experts will be happy to assist you by analyzing your logs.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.