|HELP| Cant delete rootkit or move to chest

So, i scanned my computer today and i had a rootkit… I clicked apply where it says if you’d like to remove or move it to chest and it said will be applied after restart(something like that) and it asked to do a boottime scan… so i did. Nothing came up. And then i go to the scan log and try to delete it and i get this"Error access is denied(5)" The file directory is(if im not aloud to put this out here then tell me) C:\Windows\Temp\SDIAG_14ff66d-eab3-aa39-298c206cd949\DiagPackage.dll Also the status is Threat: Rootkit: Hiddenfile

I scanned immediatly after it said this with Hitmanpro, Superantispyware(both found nothing;'( ), and now im doing a scan with Microsoft windows malicious software removal tool to scan… I for some reason cant download Malwarebytes as it says something like cannot find file and then the name… Please give me anyinformation about how to remove the rootkit. Thanks!( malwarebytes randomly deleted itself on the 16th after i uninstalled itunes)…

EDIT: System restored to the day malwarebytes worked. Was able to install it with only one problem but it had done that when i first installed it(when i first got my computer). Currently scanning,will update if it detects anything. Also, installed TDSSkiller and Gmer.

EDIT#2: Malwarebytes and TDSSkiller detected nothing.

EDIT#3: Used CCleaner, McAfee Stinger & rootkit remover, and 1 other anti-rootkit. They found nothing aswell. still kinda on alert because i dont think its gone… Also ran 2 more scans with Avast(full scans, found nothing)

Follow the guide, and attach the OTL and aswMBR logs
http://forum.avast.com/index.php?topic=53253.0

What does OTl and the other thing stand for? Sorry im a nub;P

When i downloaded OTl and tried to run it Avast poped up and said to move it to the chest(i didnt). is that bad or is it supposed to do that?

no…so ignore…OTL is a diagnostic tool and aswMBR is a rootkit scanner

Pondus, after running the second thing it wants you todo my computer got The blue screen and said it shut down to prevent damage… so i guess im outta luck there…

OK, Essexboy and Jeffc is notified so wait until they arrive…it may be several hours

Hi,

You mention the “second thing”? Is that aswMBR.exe? Were you able to get OTL ran? If so please post both the OTL.txt and Extras.txt logs into your next reply. :slight_smile:

I was able to run a scan with otl and then when I ran the avast root kit one got a blue screen and said window shut down to prevent damage. I’m currently not at my house but when I get there I’ll get on my computer and post the logs. Possibly I’ll retry the avast root kit scanner and see what it said under the windows shutdown blue screen as I cant remember

Hi,

For the time being don’t run any other scans so that we can see what we are dealing with. When you are able to do so just post the OTL logs and we can go from there. :slight_smile:

Jeff, I system restored last night and the logs are gone… Should I try a scan with otl just incase or no?

Re did the scans, this time the aswbr(what ever its called) didnt give me the blue screen and it found 2 things(outta 5 ;/) posting the attachments now;)

Hi,

Not a lot is showing up in your logs now that you did the system restore.

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
IE - HKU\S-1-5-21-2807712318-2501942183-506546610-1000\..\URLSearchHook: {37483b40-c254-4a72-bda4-22ee90182c1e} - No CLSID value found
IE - HKU\S-1-5-21-2807712318-2501942183-506546610-1000\..\URLSearchHook: {9a9d7930-001b-4e0c-a8ca-f16080dbfc85} - No CLSID value found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
O2:[b]64bit:[/b] - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - MRI_DISABLED - No CLSID value found.
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-2807712318-2501942183-506546610-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-2807712318-2501942183-506546610-1000\..\Toolbar\WebBrowser: (no name) - {9A9D7930-001B-4E0C-A8CA-F16080DBFC85} - No CLSID value found.
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk =  File not found
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk =  File not found
O4 - Startup: C:\Users\Mcx1-OWNER-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk =  File not found
[3 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2011/05/27 16:09:47 | 000,009,392 | -HS- | C] () -- C:\Users\Owner\AppData\Local\s7846w86gi86yo4j3444wfp8hl
[2011/05/27 16:09:47 | 000,009,392 | -HS- | C] () -- C:\ProgramData\s7846w86gi86yo4j3444wfp8hl
[2011/05/21 21:16:18 | 000,008,704 | ---- | C] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Files
ipconfig /flushdns /c

:Reg

:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Jeff, i get this error when i try to install it." Access violation at address 8B12EB00. Read of address 8B12EB00." What does that mean exactly?

Hi FireCubic,

What exactly do you mean “when I try to install it”? Are you trying to run the fix that I provided and that is creating the error or explain what you mean by that.

When I’m trying to install ERUNT I get that error

Hi,

Let’s try another route. :slight_smile:

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

Note: It is important that it is saved directly to your desktop


IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here


Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.

Ok, about to do the Combofix thing now. What do i do about the 2 things that aswbr(what ever its called) found?

Hi,

We will clear those out. :slight_smile: Just post the ComboFix log when you get it.

Is it supposed to be deleting C:\users\owner\appdata\roaming\windows & C:\windows\install? Ok now it’s just sittin there at deleting the folders I mentioned earlier