Laptop infected with [Rtk] and [Drp] viruses - Help needed please

Viruses and worms
1

Hi

My laptop is manifested with these Rtk and Drp viruses which are destroying it.

They disable windows updates, microsoft security essentials, microsoft firewall, internet pages appear with almost white pages with text and no images or graphics, and a whole lot of other things.

I just recently downloaded avast which picked them up but i was told not to delete any files because of them beng windows files, and so i should seek help in forums.

It would be appreciated if anyone can help.

Thanks.

2

You appear to have a rootkit infection (Sirefef) as well as ZAccess (Zero Access) infection.

Thank you for attaching the logs in your first post. A quaiified malware specialist has been notified, and you will be in good hands.

3

Hi lets get to work

Re-Run aswMBR

Click Scan

On completion of the scan
Click the Fix Button

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBR_Zero.png

Save the log as before and post in your next reply

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV:64bit: - [2009/07/14 02:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\WINDOWS\SysNative\netdde.dll -- (svcwrsssdk) O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O3 - HKU\S-1-5-21-3951360407-1491449816-2605157873-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16:64bit: - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O38 - SubSystems\\Windows: (ServerDll=consrv:ConServerDllInitialization,2) NetSvcs:64bit: svcwrsssdk - C:\WINDOWS\SysNative\netdde.dll (Oak Technology Inc.) [2012/04/28 02:12:02 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_trash_log.cmd [C:\Windows\system64] -> \systemroot\system32 -> Mount Point

:Files
ipconfig /flushdns /c
C:\Windows\tasks\At*.job

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

4

Thank you for the help

essexboy

I Re-Ran aswMBR but it restarted by itself after i clicked on Fix so i didn’t have the chance to save the log.
This happened on booting
http://oi49.tinypic.com/m7qmaf.jpg

Would by clicking Save Log after the restart be enough, or do i have to re-scan first?

Thanks

5

That is the system doing a disc check, that does occur sometimes

Rescan and save the log, meanwhile continue with the rest of the fix please

6

This is what happened when I ran OTL and rebooted after

http://oi46.tinypic.com/33aazja.jpg

Windows won’t start

7

Can you select safe mode ?

8

no, not even safe mode
The same thing happens

9

OK can you burn a CD and use a USB ?

Looks like yet another new variant

We will need to create a CD and additionally use a USB drive

Please print these instruction out so that you know what you are doing

[*]Download OTLPENet.exe to your desktop
[]Download Farbar Recovery Scan Tool x64 and save it to a flash drive.
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
[*]Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :slight_smile:
[*]Your system should now display a Reatogo desktop
Note : as you are running from CD it is not exactly speedy
[]Insert the USB with FRST64
[]Locate the flash drive with FRST64 and double click
[]The tool will start to run.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FRST2.gif

[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

10

It says FRST.exe is not a valid win32 application

11

OK from the Reatogo desktop double click OTL

[*]Double-click on the OTLPE icon.
[*]Select the Windows folder of the infected drive if it asks for a location
[*]When asked “Do you wish to load the remote registry”, select Yes
[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system
[*]Right click the file and select send to : select the USB drive.
[*]Confirm that it has copied to the USB drive by selecting it
[*]You can backup any files that you wish from this OS
[*]Please post the contents of the C:\OTL.txt file in your reply.

12

I have just realised, OTLPE is a 32 bit system and I gave the 64 bit FRST

The 32 bit version is here

[*]Download Farbar Recovery Scan Tool and save it to a flash drive.

13

This is the OLTPE log

I will run the farbar right now

14

FRST Log

15

Download the attached fixlist.txt to the same USB as FRST

Then from the Reatogo desktop start FRST
Once running press FIX

On completion reboot to normal mode, it may require two boots

16

What do you mean by starting FRST from desktop?

Do you mean to move the FRST.exe from the usb to the desktop then run it?

17

Sorry

First add the fixlist.txt to the USB that has FRST on it
Then insert the USB into the system
Then from the reatogo disc run FRST and then press fix

18

Sorry essexboy

I still don’t understand the

"Then from the reatogo disc run FRST and then press fix "

do i run the FRST.exe from the usb while it’s inside the laptop?

or do i have the FRST.exe from the usb to the reatogo desktop then run it (there is no FRST.exe on the reatogo desktop)

Sorry for being a pain, i really do appreciate your help

Thanks

19

Run it direct from the USB there is no need to copy it to the desktop

20

ok i ran FRST then rebooted (more than once) to normal mode but the same thing happened.
Windows won’t start up

Below is the fix log, i hope i did it right, the fixing process took 1/2 second, don’t know if i’ve done it right.

Thanks