So, i scanned my computer today and i had a rootkit… I clicked apply where it says if you’d like to remove or move it to chest and it said will be applied after restart(something like that) and it asked to do a boottime scan… so i did. Nothing came up. And then i go to the scan log and try to delete it and i get this"Error access is denied(5)" The file directory is(if im not aloud to put this out here then tell me) C:\Windows\Temp\SDIAG_14ff66d-eab3-aa39-298c206cd949\DiagPackage.dll Also the status is Threat: Rootkit: Hiddenfile
I scanned immediatly after it said this with Hitmanpro, Superantispyware(both found nothing;'( ), and now im doing a scan with Microsoft windows malicious software removal tool to scan… I for some reason cant download Malwarebytes as it says something like cannot find file and then the name… Please give me anyinformation about how to remove the rootkit. Thanks!( malwarebytes randomly deleted itself on the 16th after i uninstalled itunes)…
EDIT: System restored to the day malwarebytes worked. Was able to install it with only one problem but it had done that when i first installed it(when i first got my computer). Currently scanning,will update if it detects anything. Also, installed TDSSkiller and Gmer.
EDIT#2: Malwarebytes and TDSSkiller detected nothing.
EDIT#3: Used CCleaner, McAfee Stinger & rootkit remover, and 1 other anti-rootkit. They found nothing aswell. still kinda on alert because i dont think its gone… Also ran 2 more scans with Avast(full scans, found nothing)
Pondus, after running the second thing it wants you todo my computer got The blue screen and said it shut down to prevent damage… so i guess im outta luck there…
You mention the “second thing”? Is that aswMBR.exe? Were you able to get OTL ran? If so please post both the OTL.txt and Extras.txt logs into your next reply.
I was able to run a scan with otl and then when I ran the avast root kit one got a blue screen and said window shut down to prevent damage. I’m currently not at my house but when I get there I’ll get on my computer and post the logs. Possibly I’ll retry the avast root kit scanner and see what it said under the windows shutdown blue screen as I cant remember
For the time being don’t run any other scans so that we can see what we are dealing with. When you are able to do so just post the OTL logs and we can go from there.
Re did the scans, this time the aswbr(what ever its called) didnt give me the blue screen and it found 2 things(outta 5 ;/) posting the attachments now;)
Not a lot is showing up in your logs now that you did the system restore.
Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE - HKU\S-1-5-21-2807712318-2501942183-506546610-1000\..\URLSearchHook: {37483b40-c254-4a72-bda4-22ee90182c1e} - No CLSID value found
IE - HKU\S-1-5-21-2807712318-2501942183-506546610-1000\..\URLSearchHook: {9a9d7930-001b-4e0c-a8ca-f16080dbfc85} - No CLSID value found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
O2:[b]64bit:[/b] - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - MRI_DISABLED - No CLSID value found.
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-2807712318-2501942183-506546610-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-2807712318-2501942183-506546610-1000\..\Toolbar\WebBrowser: (no name) - {9A9D7930-001B-4E0C-A8CA-F16080DBFC85} - No CLSID value found.
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found
O4 - Startup: C:\Users\Mcx1-OWNER-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found
[3 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2011/05/27 16:09:47 | 000,009,392 | -HS- | C] () -- C:\Users\Owner\AppData\Local\s7846w86gi86yo4j3444wfp8hl
[2011/05/27 16:09:47 | 000,009,392 | -HS- | C] () -- C:\ProgramData\s7846w86gi86yo4j3444wfp8hl
[2011/05/21 21:16:18 | 000,008,704 | ---- | C] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
:Files
ipconfig /flushdns /c
:Reg
:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
What exactly do you mean “when I try to install it”? Are you trying to run the fix that I provided and that is creating the error or explain what you mean by that.
Download Combofix from either of the links below, and save it to your desktop. Link 1 Link 2
Note: It is important that it is saved directly to your desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.
Is it supposed to be deleting C:\users\owner\appdata\roaming\windows & C:\windows\install? Ok now it’s just sittin there at deleting the folders I mentioned earlier