Please help with rootkit problem

Viruses and worms
1

Hi everyone

I’m new to the forums. Actually I was searching for some solution to my PC’s rootkit problem that’s why I’m here. Any help would be appreciated. :slight_smile:

I’ve been using avast for a while now on my laptop PC (running 64-bit Windows 7 Home). And so far I didn’t get any problems. But recently my laptop PC has been having problems. It’s running pretty slowly and having trouble starting up in normal mode. A few days ago it started up normally but now it wouldn’t at all. So now I’m running it in safe mode with networking. I did a full scan with avast and found a DLL file with the status – Threat:Rootkit:hidden file. I tried to delete it with avast but I get the error message: Access is denied (5). Avast also found 7 other things but the status says-- Error: the request could not be performed because of an I/O device error.

Here is the screenshot of the avast log:

http://i448.photobucket.com/albums/qq206/nastyhobbit_frh/avast_scanlog.png

What should I do? My laptop still wouldn’t start up in normal mode. :frowning:

2

Hi,

Hi and welcome!

Please visit the site located here. Follow the directions
for running OTL, aswMBR.exe and Malwarebytes and then attach the logs that are created to your next reply. :slight_smile:

3

Still running on Safe Mode with Networking…

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.02.07

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
nastyhobbit :: NASTY_HOBBIT [administrator]

8/2/2012 3:23:48 PM
mbam-log-2012-08-02 (15-23-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 206899
Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

4

Still in safe mode with networking…

I’ve downloaded OTL and tried to run it as specified (all other windows closed, etc.). But it freezes at some point and it just hangs. I’ve tried to run it twice now and I get the same result. Am I doing something wrong? Should I just wait it out and (cross fingers) it’ll finish the scan eventually?

I’ve also downloaded aswMBR and also tried to run it as specified. But at some point before it’s finished, I just get the blue screen and the computer restarts. So I have no aswMBR scan log either.

Is my computer doomed?

5

Sorry about that. Third time’s the charm, it turns out. :-[ Here’s the OTL scan log. And it took a while.

I’ll try to run aswMBR again.

6

… and nope. I ran aswMBR again, but I got the blue screen midway and the computer restarted again. So I don’t have the aswMBR scan log to show you. :frowning:

7

Good job getting that run.

Please download TDSSKiller.zip

[*]Extract it to your desktop
[*]Double click TDSSKiller.exe
[*]When the window opens, click on Change Parameters
[*]Under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
[*]click OK
[*]Press Start Scan
[]Do Not Attempt To Fix Anything Now. We just need to look over the report and be sure we are removing the correct items.
[]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)

8

Okay, downloaded TDSSKiller and ran it. Here’s the log.

Thanks a lot for your patience by the way. :smiley:

9

Hi,

You are more than welcome. :slight_smile:

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

Note: It is important that it is saved directly to your desktop
If you get a message saying “Illegal operation attempted on a registry key that has been marked for deletion”, please restart your computer.

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.

10

Okay, downloaded Combofix and ran it. I disabled (or so I thought) my anti-spyware (Ad-Aware) and antivirus programs (avast) before I ran Combofix, but for some reason, Combofix still said they were running. I ran Combofix anyways and got this log.

By the way, the computer restarted by itself. The computer is still running in Safe Mode with Networking.

11

Hi,

I see that you are running both Avast and AdAware Antivirus? Using more than one antivirus program is not a good idea and could lead to more problems and actually less detection. You may also be interested in reading this >> http://www.scmagazine.com/lavasofts-new-owners-operated-misleading-websites/article/209123/ in reference to AdAware. I would suggest you remove one of them completely.

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

DDS::
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
Trusted Zone: qq.com\cache.tv
Trusted Zone: qq.com\qqlivecaption
Trusted Zone: qq.com\qqlivehabit
Trusted Zone: qq.com\qqlivesearch
Trusted Zone: qq.com\video_1
DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - hxxp://download.ppstream.com/bin/powerplayer.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab

Firefox::
FF - ProfilePath - c:\users\nastyhobbit\AppData\Roaming\Mozilla\Firefox\Profiles\irygqewh.default\
FF - prefs.js: keyword.URL - hxxp://www.samenc.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=sJ8PfxwN&q=
FF - user.js: keyword.URL - hxxp://www.samenc.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=sJ8PfxwN&q=

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

12

I ran into the same problem as last time when disabling avast and Ad-Aware. I disabled avast by right-clicking the avast icon in the system tray and clicking “disable permanently”. And I also disabled Ad-Aware by right-clicking the Ad-Aware icon and clicking “exit”. I even opened the task manager to end all the processes I thought were related to both programs. But when I ran Combofix, it says both programs are running. I haven’t clicked “OK” from the Combofix message box. What do I do to REALLY disable these programs? :-\

13

I’m running the computer in Safe Mode with Networking, by the way. If that’s significant.

14

If ComboFix still shows they are running don’t worry about it. Just continue on. It shouldn’t cause a problem. :slight_smile:

15

Okay, that’s a relief.
But now I have another problem (sorry, it seems the problems never end). The computer was shutdown unexpectedly (power outage… argh) while Combofix was running, and now when I restarted the computer and ran Combofix again, it’s stuck at extracting files to output folder C:\32788R22FWJFW. What do I do?

16

Go ahead and stop ComboFix, reboot your system and try to run ComboFix again. :slight_smile:

17

I’ve done that but it just stalls again. I restarted the computer, even deleted Combofix.exe and re-downloaded it and ran it again but that doesn’t work either. I’ve repeated the process many times but the result’s the same – stalled Combofix. Are there any other options?

18

Hi,

Yep…let’s try something else.

FRST

For 32 bit systems, download Farbar Recovery Scan Tool and save it to a flash drive.
For 64 bit systems, download Farbar Recovery Scan Tool64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

[*]Restart the computer.
[*]As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
[*]Use the arrow keys to select the Repair your computer menu item.
[*]Select US as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

[*]Insert the installation disc.
[*]Restart your computer.
[*]If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
[*]Click Repair your computer.
[*]Select US as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

19

I downloaded FRST on a flashdrive, plugged the flashdrive in the computer and then restarted. I entered system recovery options through advanced boot options. After I selected “Repair your computer”, it seemed to work (Windows was loading files and the screen changed into that blue/white gradient background with some leaf accents). But after some minutes though I got the message:

System Recovery Options
The installed program cannot start. Click OK to turn off the computer.

So I turned off the computer.

I haven’t got a Windows 7 installation CD since Windows 7 came pre-installed when I bought the laptop. I do have system recovery discs (they’re not exactly the same as the installation discs from what I understand, but what the heck, it was worth a shot) but when I tried those, it didn’t seem to work either. There wasn’t any prompt to start Windows from the CD/DVD drive.

So I’ll go borrow an installation disc or buy one tomorrow. But if there’s yet another option, let me know.

20

Okay, since that attempt to run FRST didn’t work, I tried running Combofix again. And it worked! I don’t know why but it worked! But I don’t understand why Combofix still says that Ad-Aware is running since I uninstalled it the day before when you said to uninstall either Ad-Aware or avast. And I installed Ad-Aware in the first place as an anti-spyware program. I didn’t even know it was also an antivirus. :-[

Anyway, here’s the log from Combofix:

ComboFix 12-08-05.02 - nastyhobbit 08/06/2012 16:17:40.2.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.63.1033.18.3933.2850 [GMT 2:00]
Running from: c:\users\nastyhobbit\Desktop\1234.exe
Command switches used :: c:\users\nastyhobbit\Desktop\CFScript.txt
AV: avast! Antivirus Enabled/Updated {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Lavasoft Ad-Watch Live! Anti-Virus Enabled/Updated {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
FW: ZoneAlarm Free Firewall Enabled {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: avast! Antivirus Enabled/Updated {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Lavasoft Ad-Watch Live! Enabled/Updated {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender Disabled/Updated {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

  • Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-06 to 2012-08-06 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-06 14:37 . 2012-08-06 14:37 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-02 04:31 . 2012-08-02 04:31 -------- d-----w- c:\users\nastyhobbit\AppData\Roaming\Malwarebytes
    2012-08-02 04:30 . 2012-08-02 04:30 -------- d-----w- c:\programdata\Malwarebytes
    2012-08-02 04:30 . 2012-08-02 04:34 -------- d-----w- c:\program files (x86)\Malwarebytes’ Anti-Malware
    2012-08-02 04:30 . 2012-07-03 11:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-08-01 09:21 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
    2012-08-01 09:21 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
    2012-07-25 17:12 . 2012-07-25 17:12 -------- d-----w- c:\users\nastyhobbit\AppData\Roaming\HPAppData
    2012-07-11 19:26 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
    2012-07-09 14:34 . 2012-07-11 11:38 -------- d-----w- c:\program files\7-Zip
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-27 05:46 . 2012-05-04 01:47 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-27 05:46 . 2011-05-19 02:11 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-11 19:23 . 2010-06-07 18:43 59701280 ----a-w- c:\windows\system32\MRT.exe
    2012-07-04 06:31 . 2012-07-04 06:31 476936 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
    2012-07-04 06:31 . 2010-05-22 14:00 472840 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-06-06 02:49 . 2011-11-29 02:41 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
    2012-06-06 02:49 . 2011-11-29 02:41 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
    2012-06-02 22:19 . 2012-06-22 02:33 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-22 02:33 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-22 02:33 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-22 02:33 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-22 02:33 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:15 . 2012-06-22 02:33 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-22 02:33 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 13:19 . 2012-06-22 02:33 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 13:15 . 2012-06-22 02:33 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-31 10:25 . 2010-06-07 19:52 279656 ------w- c:\windows\system32\MpSigStub.exe
    .