Rootkit/worm

Viruses and worms
1

I pretty sure I have a rootkit, I been asking around other fourms and trying to get opinions to get rid of it, however, its really quite hard to get rid of. Seems like a backdoor worm, not sure though, all the rootkits I have used, have not found it, including ASWMBR. If anyone has a some suggestions, I would be very grateful!

2

follow the guide here and attach the log`s http://forum.avast.com/index.php?topic=53253.0 and essexboy will have a look when he arrive

Lower left corner > additional options > attach
If logs are to big you may upload to http://www.mediafire.com/ and post the download link here

3

Monitoring ;D

4

Hey Teros,
Is that you from Trendmicro forums who was asking for help?Is that you here - > http://community.trendmicro.com/t5/Malware-Discussions/Hijackthis-log/td-p/43747/page/5 ?
I guess yes.As i said many times,don’t trust Malwarekiller,i was the one who judged him and got insulted in trend forums for my behavior.Feels good as everything came as i expected.You are here,and for good :wink: .
Your fault is that you trusted malwarekiller and not that yo u got infected.
Now,the hardest part won’t be the removal of the infection since Essexboy is “the father” of malware removal.
I saw some fixes malwarekiller provided,he may have caused serious damage to your computer,he installed many programes,he even told you to run STOPZILLA which is related to TDSS infections.He even played with some of your legit drivers.
Regards,

Philip

@ Essex as you can see malwarekiller even copied your canned speeches,
"I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:" and the rest.Everything can be found here
http://community.trendmicro.com/t5/Malware-Discussions/Hijackthis-log/td-p/43747/page/4

5

honestly, I don’t know about the guy, but nothing has improved the point where it should be. If you do have any suggestions that are contrary to what he is saying, I will take them into consideration, since the last thing he mentioned was quite extreme, not mention possibility harmful if indeed true. Kaspersky Rescue disk I believe he called it. However, I do some research before preforming these, which he has mentioned. However, it is true, it seems odd I have gotten more spam and hangs ups continue. Any help would be appreciated, if it helps, I will indeed stop taking his advice, as the thread is now on page 13… BTW, sorry if I upset or offended you in any way when you posted about him, true or not, I overreacted to the situation.

Posted the requested logs that I preformed recently.

Thanks.

6

He got banned here for providing dangerous advice…

7

Essexboy is notified…

If you search the forum for com155 the name he (malwarekiller) used here, then you should find lots of reading…

8

Hi there it is a bit difficult to determine what is actually the problem as a lot of files have been jiggled around, also you appear to have lost your winlogon file. You appear to have had whitesmoke which is relatively easy to to remove

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL FF - prefs.js..browser.search.defaultthis.engineName: "WhiteSmoke Bar Customized Web Search" FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3007394&SearchSource=3&q={searchTerms}" FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=" [2011/08/25 02:41:45 | 000,001,276 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nf4iog2x.default\searchplugins\search-the-web.xml 2010/12/07 20:24:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010/12/07 20:24:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [2010/12/07 20:24:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [2010/12/21 15:53:13 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Reg Error: Key error.) [2011/09/08 00:07:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\WhiteSmoke_Bar [2011/09/03 02:48:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\VDLL.DLL [2011/09/03 02:48:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\SysWow64\runouce.exe [2011/09/03 02:48:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\RUNDL132.EXE [2011/09/03 02:48:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\logo_1.exe [2011/09/03 02:46:20 | 000,034,048 | ---- | C] (MicroWorld Technologies Inc.) -- C:\WINDOWS\SysWow64\eEmpty.exe [2011/08/26 00:53:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ScooP_ [2011/01/16 16:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\procs\explorer.exe [2011/01/16 16:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX1\procs\explorer.exe [2005/08/16 02:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\h\explorer.exe [2005/08/16 02:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX1\h\explorer.exe [2009/05/26 19:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\userinit.exe [2009/05/26 19:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX1\userinit.exe

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

9

Says it won’t work with xp 64 bit… Is this incorrect or am I doing something wrong?

10

OK missed that - saw the 64 bit and thought Vista, 2003 64bits are like hens teeth

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPfront.gif

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpsettings.gif

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif

On completion click the link to locate the zip file to upload and attach to your next post

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif

Megaupload

11

link to download gives .part file that can’t be opened, so I am just going to search for it on google.

… Part file from direct too, I’ll figure it out.

12

Try this

http://www.kaspersky.com/antivirus-removal-tool?form=1

13

Well, it worked, however, I can’t seem to post the logs here, it just keeps loading to no end over and over again… Too big maybe? Just two txt files…

Figured it out, links below.

http://www.mediafire.com/?9vsr37md64d9c95
http://www.mediafire.com/?lhdv1f5f3dcpb36

Just got to copy and paste em, sorry lol. thanks.

14

The main file I need to see in in the zip folder, could you upload the entire zip folder please

On completion click the link to locate the zip file to upload and attach to your next post

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif

15

Won’t let me attach it… not right file type or something. Tried something different, maybe this is good enough…

16

Could you upload the Zip folder to mediafire and I will download it from there

17

the entire zip then?

18

Yes please as I contains an HTML file as well as text data

19

The zip and log.

http://www.mediafire.com/?cwnbs3dajqn24fb

http://www.mediafire.com/?etdvmd3ki31lp8i

20

Why do you think you have a rootkit ?

[*]Re-run AVPTool
[*]Select the Manual Disinfection tab and press Script execution

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpmanual.gif

[*]Where it states Insert text script in the following box copy the below script and press Run script
Copy from Begin until End

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpscript.gif

begin
SetAVZPMStatus(True);
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 RegKeyParamDel('HKEY_USERS','.DEFAULT\Control Panel\Desktop','scrnsave.exe');
 RegKeyParamDel('HKEY_USERS','S-1-5-18\Control Panel\Desktop','scrnsave.exe');
 DeleteFile('(None)');
BC_ImportDeletedList;
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

[]Your system will reboot on completion, if it does not please do so yourself
[]On completion please run another analysis scan and attach the zip file