Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Rootkits???

(In Progress)
(!)

davecabezo's Avatar
davecabezo davecabezo is offline
Member with 105 posts.
THREAD STARTER
 
Join Date: Jun 2005
Experience: begginer/intermediate
19-Apr-2010, 06:10 AM #1
Rootkits???
Hi,
I'm running XP Pro and about 3 weeks ago I had alsorts of problems, System Restore points wiped out, multiple windows opening when only clicking once, etc.etc. then eventually I couldn't boot normally, only in safe mode. I use my computer a lot, particularly on the internet as I'm living most of the time in Tenerife, so I contacted Microsoft who guided me through the 1st part of the problems, ie reducing all my startup programs. Eventually I got my computer to boot properly and ran scan after scan with AVG, SuperAntiSpyware,CCleaner. The programs found quite a lot of malicious software. I thought I had beaten the infections but just recently I found the Internet running very slow, I contacted Telefonica who checked my line and they said their connection was fine but I had a lot of traffic, even though I had no internet programs running. I then discovered the existance of rootkits so I did a scan with Microsoft/Sysinternals RootKit Revealer. It threw up about 12 instances of irregularities, so I asked to save the file on my desktop but after closing the program I couldn't find the file!

I have enclosed a HJthis logfile and hope someone can help as I do use the computer a lot as I'm virtually housebound.

Kind Regards,

Dave
davecabezo's Avatar
davecabezo davecabezo is offline
Member with 105 posts.
THREAD STARTER
 
Join Date: Jun 2005
Experience: begginer/intermediate
19-Apr-2010, 06:34 AM #2
Sorry but just realised I hadn't attached the HJthis logfile

Regards,

Dave
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
davecabezo's Avatar
davecabezo davecabezo is offline
Member with 105 posts.
THREAD STARTER
 
Join Date: Jun 2005
Experience: begginer/intermediate
19-Apr-2010, 12:29 PM #3
Hi,
I'm running XP Pro and about 3 weeks ago I had alsorts of problems, System Restore points wiped out, multiple windows opening when only clicking once, etc.etc. then eventually I couldn't boot normally, only in safe mode. I use my computer a lot, particularly on the internet as I'm living most of the time in Tenerife, so I contacted Microsoft who guided me through the 1st part of the problems, ie reducing all my startup programs. Eventually I got my computer to boot properly and ran scan after scan with AVG, SuperAntiSpyware,CCleaner. The programs found quite a lot of malicious software. I thought I had beaten the infections but just recently I found the Internet running very slow, I contacted Telefonica who checked my line and they said their connection was fine but I had a lot of traffic, even though I had no internet programs running. I then discovered the existance of rootkits so I did a scan with Microsoft/Sysinternals RootKit Revealer. It threw up about 12 instances of irregularities, so I asked to save the file on my desktop but after closing the program I couldn't find the file!

I have enclosed a HJthis logfile and hope someone can help as I do use the computer a lot as I'm virtually housebound.

Kind Regards,


Dave

P.S. I've had to repost as my previous attempt to attach a HJT log was blocked.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Kenny94's Avatar
Account Disabled with 2,026 posts.
 
Join Date: Dec 2004
Location: S.C
19-Apr-2010, 12:48 PM #4
Hi davecabezo And Welcome to TSG!

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.



DeFogger
Download DeFogger by jpshortstuff from here & save it to your desktop.
  • Right click DeFogger then choose Run as Administrator to run the tool
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.

Next

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.
Kenny94's Avatar
Account Disabled with 2,026 posts.
 
Join Date: Dec 2004
Location: S.C
19-Apr-2010, 12:49 PM #5
By the way, you can copy and paste your logs.....
davecabezo's Avatar
davecabezo davecabezo is offline
Member with 105 posts.
THREAD STARTER
 
Join Date: Jun 2005
Experience: begginer/intermediate
19-Apr-2010, 01:02 PM #6
Hi Kenny,
Many thanks for your reply. I tried to do as you said but my computer just completely froze but I've rebooted and will carry out your instructions to the letter. I also have a laptop which will also I'm sure come in handy. Unfortunately I'm being taken out tonight but will try to reply with the info you require before then. If not I'm around all day tomorrow. Not sure of your location however re time zone. It's 6pm here in tenerife.

regards,

dave
Kenny94's Avatar
Account Disabled with 2,026 posts.
 
Join Date: Dec 2004
Location: S.C
19-Apr-2010, 01:07 PM #7
No hurry... It's 1:00 pm here in South Carolina US.
davecabezo's Avatar
davecabezo davecabezo is offline
Member with 105 posts.
THREAD STARTER
 
Join Date: Jun 2005
Experience: begginer/intermediate
19-Apr-2010, 01:27 PM #8
Hi Kenny,

Followed your instructions but when I ran the Gmer scanner it scanned but when I tried to save the file the computer froze completely. I will try again after reboot. I'm replying via my laptop.

Dave
Kenny94's Avatar
Account Disabled with 2,026 posts.
 
Join Date: Dec 2004
Location: S.C
19-Apr-2010, 01:30 PM #9
Try one more time. And if your PC has a hard to run Gmer. Let me know.
davecabezo's Avatar
davecabezo davecabezo is offline
Member with 105 posts.
THREAD STARTER
 
Join Date: Jun 2005
Experience: begginer/intermediate
19-Apr-2010, 01:37 PM #10
Hi Again Kenny,

Same again, when I click save the computer totally freezes and I have to manually shut it down and restart. Will try once again but see if I can copy and paste into notepad.

Dave
Kenny94's Avatar
Account Disabled with 2,026 posts.
 
Join Date: Dec 2004
Location: S.C
19-Apr-2010, 01:49 PM #11
Lets run ComboFix. But be sure Click the Disable button to disable your CD Emulation drivers with DeFogger.



Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.
---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:

    Combofix download


    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
davecabezo's Avatar
davecabezo davecabezo is offline
Member with 105 posts.
THREAD STARTER
 
Join Date: Jun 2005
Experience: begginer/intermediate
19-Apr-2010, 01:56 PM #12
Ok Kenny,
Did try to copy and paste into notepad but as soon as I tried to save notepad the computer froze again. Will sort out your next instructions tomorrow as my friend has arrived to take me out. Will reply tomorrow and keep looking for you reply.

Kind Regards,

Dave
Kenny94's Avatar
Account Disabled with 2,026 posts.
 
Join Date: Dec 2004
Location: S.C
19-Apr-2010, 01:58 PM #13
OK. The ark.txt" might be in your C: Drive.
davecabezo's Avatar
davecabezo davecabezo is offline
Member with 105 posts.
THREAD STARTER
 
Join Date: Jun 2005
Experience: begginer/intermediate
19-Apr-2010, 05:33 PM #14
Hi Kenny,
Managed to get the ark.txt, do you want me to continue with the Combofix?

Dave
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Kenny94's Avatar
Account Disabled with 2,026 posts.
 
Join Date: Dec 2004
Location: S.C
19-Apr-2010, 05:35 PM #15
Quote:
Originally Posted by davecabezo View Post
Hi Kenny,
Managed to get the ark.txt, do you want me to continue with the Combofix?

Dave
Yes run Combofix.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


Similar Threads
Title Thread Starter Forum Replies Last Post
Rootkit-Pakes.U trojan found in atapi.sys Lizzzz Virus & Other Malware Removal 18 17-Oct-2009 07:00 PM
Please Help, Trojan Rootkit JimLawhun Virus & Other Malware Removal 0 21-Aug-2009 06:14 PM
Hacktool.Rootkit ??? Virus using my username.exe - Windows XP Iva H Virus & Other Malware Removal 1 03-Jun-2009 10:20 AM
I have hacktool.rootkit, it effects sysrest.sys gowfather Virus & Other Malware Removal 0 26-Aug-2008 11:00 AM
rootkit revealer mbassadoor Virus & Other Malware Removal 0 02-Jul-2008 05:54 AM

WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑