rootkit warning help

Hi my parents have had some problems on there laptop which i solved, but now a week later there getting a rootkit problem, tried to post the info you recommend on the sticky, but it keeps saying u’ve posted :-?? etc…

Bit lost can i email the notebook info to anyone? Doesn’t seem to want to post on here split it so its not to large helpppp

Ok sorry for the second post got the first part of the notebook info on, but wont let me load the rest even so its split into small files…Is there enough info on the first part??

It maybe easier to email it?

What are the signs of this rootkit ?

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

Hi thks for ur reply the orginal problem was a programe that opened everytime u opened a .exe file, it took u to a page to buy something, and blocked u using any browswer…

I got rid of that, but today my mum rang and said every so often if u open the browser or turn the pc on theres a avast warning stating theres a rootkit problem and to delete it and restart the pc for a full scan, the problem still comes back though… sorry to be so vague (ive NOW got the laptop here)

OK lets start big

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Ok we have a problem ive run the scan and saved the log, but it wont open, and now firefox wont either(im posting from my pc now) its saying c:\program Files\Mozilla Firefox\ firefox .exe Illegal operation attempted on a registry key that has been marked for deltion :-??

edit its saying that for everything i double click

ok now workin after reboot odd heres the file

Hmm that found nothing so it must be time to do a manual look

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Hi thks for the advice i think thats the file i had problems loading orginally, part 1 was on post one…It was so long and i had problems splitting it up to load onto a post (wasn’t sure where to seperate it) Any chance of emailing it?

If it is saved as ANSI it should attach quite nicely

if it is to large to attach then upload to Mediafire and post the sharing link.

Cheers http://www.mediafire.com/?9rflrooy4zdc2va

On completion of this run can you let me know what problems remain

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{0BF43445-2F28-4351-9252-17FE6E806AA0}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Drives with AutoRun files > -> 
YN -> ductSeries=Photosmart C4500 series | COEXIST_RELEASE_NUM=30 | DriverVer=12/05/2008, 120.000.210.000 | UI_15=yes | UI_261=yes | UI_280=no | InfrastructureDatabaseList=hpomdl30.dat | autorunid=PS_AIO_04_C4500_USW_Full_Win_WW | DefaultLanguageInThisRelease=enu | LanguagesInthisCD=ara,chs,cht,csy,dan,deu,ell,enu,esn,fin,fra,heb,hun,ita,jpn,kor,nld,nob,plk,ptb,rus,sve,trk | networkinstall=%sourcepath%setup\hpznui%ICE_SUFFIX%.exe | UsingWUP=Yes | PreloadAutorun=cpeprl01.dat | UseCoexistReleaseNum=yes | usingdevicediscovery=yes | ProductFinishEvent=somestring | PreloadRestingPad=hpzprl03.dat | PreloadICEEngineToGUIDFolder=hpzprl01.dat | PreloadRecoveryMechanism=hpzprl02.dat | Preload_PSL_Stuff_With_WOW=hpoprl10.dat | PreloadICENetworkComponents=hpzprl05.dat |  -> 
[Files/Folders - Modified Within 30 Days]
NY ->  5oh7603awd86 -> C:\Users\Ed\AppData\Local\5oh7603awd86
NY ->  5oh7603awd86 -> C:\ProgramData\5oh7603awd86
[Files - No Company Name]
NY ->  5oh7603awd86 -> C:\Users\Ed\AppData\Local\5oh7603awd86
NY ->  5oh7603awd86 -> C:\ProgramData\5oh7603awd86
[Custom Scans]
YY ->  explorer.exe : MD5=3C33B26F2F7FA61D882515F2D6078691 -> C:\Users\Ed\AppData\Local\Temp\RarSFX0\procs\explorer.exe
YY ->  explorer.exe : MD5=ABC6379205DE2618851C4FCBF72112EB -> C:\Users\Ed\AppData\Local\Temp\RarSFX0\h\explorer.exe
NY ->  userinit.exe : MD5=AC6094297CD882B8626466CDEB64F19F -> C:\Users\Ed\AppData\Local\Temp\RarSFX0\userinit.exe
NY ->  winlogon.exe : MD5=AC6094297CD882B8626466CDEB64F19F -> C:\Users\Ed\AppData\Local\Temp\RarSFX0\winlogon.exe
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Is this all the same for this scan?

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

Ok im presuming i do heres the file…As far as the problem its not shown it self since i did some of the info u mentioned, but to be fair i havent used the laptop to much due to being worried about the breech…cheers

No, just run the fix and a log should popup after reboot - just post that and let me know what problems remain

oops i clicked them options does that matter?, or should i do it again unclicked, files on post above

As long as you pressed run fix and inserted the fix script in the fix box it should be OK

ok did u see the file, its connected to the one above ur previous post. cheers

oops one final point on that programe the box for file age it says 30 days,that ok?

Before we run a new scan I will need to know what problems remain, as that will determine the next step ;D

Ok well ive been using it this evening, and so far the rootkit problem asn’t returned :-? Do we call this solved unless it comes back ,and i open the thread again??

Can u see anything in these files i’m loading?