Not able to get rid of a Rootkit

Yes, SP3 has been out for over a year, and there is little point in chasing the ntoskrnl.exe issue in an out of date system, as who knows the update may change how that functions.

Contrary to your statement you do use IE, it is integrated into the OS and can still be exploited. It is used to display help files, folder structure in windows explorer, email preview window if you use Outlook Express, and some other things. So you do use it and it needs to be updated.

I have IE7 as I really don’t think IE8 is mature enough and there are some issues with it reported in the Windows Secrets newsletter, so I will wait a while yet before I install IE8.

Acrobat is also way out of date, vulnerable to exploit and a huge target by malware because of its large user base. So old versions need to be uninstalled and the latest installed.

That is why I gave you the link to the Secunia check as there are more applications that it checks and insufficient information to say what version of some apps you have installed, like winamp.


i even uninstalled all the programs that were used to get rid of the rootkit.. including MBAM, RootRepeal, Hijack this, CCleaner, Secunia, Etc

If I am not mistaken, uninstalling the above programs will not help your boot time since none of them should be running at boot time … unless you have a “paid for” version.


Hey… remember the sites i mentioned??? I found a solution 4 it…
m posting it here just in case some1 else needs it!!! :slight_smile:

stop www. thenewspedia. com from opening in browser
Does your browser automatically opens www(dot)thenewspedia(dot)com ?

This is probably a virus or worm which doesn’t harm your computer system but only opens the link i.e. www. thenewspedia. com uncondinationably. Actually this is a browser hijacker effecting IE (Internet Explorer) and Firefox. It simply promotes thenewspedia by opening up the site randomly while you are browsing or opens up along with homepage even if you have no set it as your homepage.

As a browser hijacker, it takes controll over your browser so you should immediately remove it as to avoid future harms. So here’s the removal steps:

REMOVAL

This is caused by a file named nissan.exe and here I have described 3 methods to remove it.

METHOD I:

Open registry editor by going to Start->run->regedit and hit enter.
Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

you will see an entry named “taskman” with a value similar to "C:\RECYCLER\S-1-5-21-3028898713-081331…

Double click it and you’ll see its path like C:\RECYCLER\S-1-5-21-3028898713-0813311981-684376638-1852\nissan.exe

This file is the cause of the mess as it tells windows to execute the file. So, you have to delete the key “taskman” but before that copy your path address (C:\RECYCLER\S-1-5-21-3028898713-0813311…) except nissan.exe and navigate to the folder by pasting it in run. Now delete the key.

When you open the folder recycler folder nothing will be shown. This is because it is set to super hidden state. Use “attrib -h -s -r” command in run like start->run->[attrib -h -s -r C:\RECYCLER\S-1-5-21-3028898713-0813311981-684376638-1852\nissan.exe] to remove any attribute and then delete it.

Or alternatively, you can use “unlocker” to delete the folder. This is a free and handy utility to move or kill or delete files when locked by other windows services.

Download link:
http://ccollomb.free.fr/unlocker/#download

METHOD II:

Use malwarebytes anti-malware. This is a free tool for removing any malwares, worms, trojans, etc and is updated frequently so I would suggest trying www.malwarebytes.org and downloading their free anti-malware as you might have other worms too.

METHOD III:
You can use this direct removal tool too
http://www.prevx.com/filenames/X1371355467920112549-X1/NISSAN.EXE.html

[glow=lime,2,300]Unfortunately neither Avast nor Mbam detects it… :frowning:
i used the FileAssassin option in mbam to delete the Nissan.exe file

Did you send the file for analysis and help improving detection?
Send an email to virus (at) avast (dot) com. Thanks.

hey viper…

i am facing the same problem…
i tried removing it manually but iam unsuccesful…
for eg…when running attributes prog…nothing happens. could u further simplify ur process.
or guide me to the site where u found the solution.
thx

for moderator: this is the okobarfest.exe virus/malware which avast is unable to detect.

Oktoberfest.exe is currently being reviewed by Prevx

“The most common objects with the name of OKTOBERFEST.EXE have yet to be classified as safe by our research department”

http://www.prevx.com/filenames/981336025384161385-X1/OKTOBERFEST.EXE.html

Hey swar…
sorry 4 the late reply…

but i dont exactly remember the site… :frowning:
I just googled “newspedia virus”

btw the procedure has been posted here… is there ant thing specific that u dont get…
wud be glad to help u :slight_smile: