1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Rootkits???

Discussion in 'Virus & Other Malware Removal' started by davecabezo, Apr 19, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. davecabezo

    davecabezo Thread Starter

    Joined:
    Jun 22, 2005
    Messages:
    105
    Hi,
    I'm running XP Pro and about 3 weeks ago I had alsorts of problems, System Restore points wiped out, multiple windows opening when only clicking once, etc.etc. then eventually I couldn't boot normally, only in safe mode. I use my computer a lot, particularly on the internet as I'm living most of the time in Tenerife, so I contacted Microsoft who guided me through the 1st part of the problems, ie reducing all my startup programs. Eventually I got my computer to boot properly and ran scan after scan with AVG, SuperAntiSpyware,CCleaner. The programs found quite a lot of malicious software. I thought I had beaten the infections but just recently I found the Internet running very slow, I contacted Telefonica who checked my line and they said their connection was fine but I had a lot of traffic, even though I had no internet programs running. I then discovered the existance of rootkits so I did a scan with Microsoft/Sysinternals RootKit Revealer. It threw up about 12 instances of irregularities, so I asked to save the file on my desktop but after closing the program I couldn't find the file!

    I have enclosed a HJthis logfile and hope someone can help as I do use the computer a lot as I'm virtually housebound.

    Kind Regards,

    Dave
     
  2. davecabezo

    davecabezo Thread Starter

    Joined:
    Jun 22, 2005
    Messages:
    105
    Sorry but just realised I hadn't attached the HJthis logfile

    Regards,

    Dave
     

    Attached Files:

  3. davecabezo

    davecabezo Thread Starter

    Joined:
    Jun 22, 2005
    Messages:
    105
    Hi,
    I'm running XP Pro and about 3 weeks ago I had alsorts of problems, System Restore points wiped out, multiple windows opening when only clicking once, etc.etc. then eventually I couldn't boot normally, only in safe mode. I use my computer a lot, particularly on the internet as I'm living most of the time in Tenerife, so I contacted Microsoft who guided me through the 1st part of the problems, ie reducing all my startup programs. Eventually I got my computer to boot properly and ran scan after scan with AVG, SuperAntiSpyware,CCleaner. The programs found quite a lot of malicious software. I thought I had beaten the infections but just recently I found the Internet running very slow, I contacted Telefonica who checked my line and they said their connection was fine but I had a lot of traffic, even though I had no internet programs running. I then discovered the existance of rootkits so I did a scan with Microsoft/Sysinternals RootKit Revealer. It threw up about 12 instances of irregularities, so I asked to save the file on my desktop but after closing the program I couldn't find the file!

    I have enclosed a HJthis logfile and hope someone can help as I do use the computer a lot as I'm virtually housebound.

    Kind Regards,


    Dave

    P.S. I've had to repost as my previous attempt to attach a HJT log was blocked.
     

    Attached Files:

  4. Kenny94

    Kenny94 Banned

    Joined:
    Dec 16, 2004
    Messages:
    2,026
    Hi davecabezo And Welcome to TSG!

    Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

    Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

    Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.



    DeFogger
    Download DeFogger by jpshortstuff from here & save it to your desktop.
    • Right click DeFogger then choose Run as Administrator to run the tool
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A Finished! message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
    Do not re-enable these drivers until otherwise instructed.

    Next

    Download the GMER Rootkit Scanner. Unzip it to your Desktop.

    Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
    • Double click GMER.exe.
      [​IMG]
    • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
    • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
        [​IMG]
        Click the image to enlarge it
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
    • Save the log where you can easily find it, such as your desktop.
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

    Please copy and paste the report into your Post.
     
  5. Kenny94

    Kenny94 Banned

    Joined:
    Dec 16, 2004
    Messages:
    2,026
    By the way, you can copy and paste your logs.....:)
     
  6. davecabezo

    davecabezo Thread Starter

    Joined:
    Jun 22, 2005
    Messages:
    105
    Hi Kenny,
    Many thanks for your reply. I tried to do as you said but my computer just completely froze but I've rebooted and will carry out your instructions to the letter. I also have a laptop which will also I'm sure come in handy. Unfortunately I'm being taken out tonight but will try to reply with the info you require before then. If not I'm around all day tomorrow. Not sure of your location however re time zone. It's 6pm here in tenerife.

    regards,

    dave
     
  7. Kenny94

    Kenny94 Banned

    Joined:
    Dec 16, 2004
    Messages:
    2,026
    No hurry...:) It's 1:00 pm here in South Carolina US.
     
  8. davecabezo

    davecabezo Thread Starter

    Joined:
    Jun 22, 2005
    Messages:
    105
    Hi Kenny,

    Followed your instructions but when I ran the Gmer scanner it scanned but when I tried to save the file the computer froze completely. I will try again after reboot. I'm replying via my laptop.

    Dave
     
  9. Kenny94

    Kenny94 Banned

    Joined:
    Dec 16, 2004
    Messages:
    2,026
    Try one more time. And if your PC has a hard to run Gmer. Let me know.
     
  10. davecabezo

    davecabezo Thread Starter

    Joined:
    Jun 22, 2005
    Messages:
    105
    Hi Again Kenny,

    Same again, when I click save the computer totally freezes and I have to manually shut it down and restart. Will try once again but see if I can copy and paste into notepad.

    Dave
     
  11. Kenny94

    Kenny94 Banned

    Joined:
    Dec 16, 2004
    Messages:
    2,026
    Lets run ComboFix. But be sure Click the Disable button to disable your CD Emulation drivers with DeFogger.



    Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

    Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

    Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.
    ---------------------------------------------------------------------------------------------


    1. Download ComboFix from below:

      Combofix download


      * IMPORTANT !!! Place combofix.exe on your Desktop
    2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


      You can get help on disabling your protection programs here
    3. Double click on combofix.exe & follow the prompts.
    4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

      Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


      [​IMG]


      The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

      With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

      Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

      ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

      Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

      The Recovery Console was successfully installed.

      [​IMG]

      Click on Yes, to continue scanning for malware.
    5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
    6. When finished, it shall produce a log for you. Post that log in your next reply

      Note:
      Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


      ---------------------------------------------------------------------------------------------
    7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

      ---------------------------------------------------------------------------------------------
     
  12. davecabezo

    davecabezo Thread Starter

    Joined:
    Jun 22, 2005
    Messages:
    105
    Ok Kenny,
    Did try to copy and paste into notepad but as soon as I tried to save notepad the computer froze again. Will sort out your next instructions tomorrow as my friend has arrived to take me out. Will reply tomorrow and keep looking for you reply.

    Kind Regards,

    Dave
     
  13. Kenny94

    Kenny94 Banned

    Joined:
    Dec 16, 2004
    Messages:
    2,026
    OK. The ark.txt" might be in your C: Drive.
     
  14. davecabezo

    davecabezo Thread Starter

    Joined:
    Jun 22, 2005
    Messages:
    105
    Hi Kenny,
    Managed to get the ark.txt, do you want me to continue with the Combofix?

    Dave
     

    Attached Files:

    • ark.txt
      File size:
      3.4 KB
      Views:
      1
  15. Kenny94

    Kenny94 Banned

    Joined:
    Dec 16, 2004
    Messages:
    2,026
    Yes run Combofix.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/917826