Someone please help a noob

Viruses and worms
1

i got a rootkit problem (win32 bubak [rtk]) ive used my avast to scan and remove but it keeps comming back so i downloaded mbam followedtheinstruction and completed the scan and removal/disinfect then it came back again, ill attach the latest of my 3 scans today, i think ive resolved all the issues that it was causing but i keep getting a pop up telling me i got a rootkit and progs that prev worked now no longer work with this version of windows :-/. latest log and many thanks :-

Database version: 4735

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

03/10/2010 10:00:15
mbam-log-2010-10-03 (10-00-15).txt

Scan type: Quick scan
Objects scanned: 144593
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\smezr.sys (Rootkit.Agent) → Quarantined and deleted successfully.

as i said ive done this 3 times now and its still there

2

also try this http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

3

Hi this appears to be from the TDSS family

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

4

soz about the delay the missus is in hospital :(, ive followed your instructions and after the scan it said no infection but the warning box keeps returning, the problem files is called smezr.sys and possibly sptd.sys in the system32\drivers folder. i have a report but its rather large should i post it on here ive downloaded the other program but havent used it yet many thanks for your help :-*

5

No in that case go direct to Combofix please

6

im not sure what just happened but i got a warning about other websites sum loud beeps and then a blue box and an error message then the computer restarted and combo fix started and another error message kernel debugger maybe sorry for being dense and again many thanks for your efforts

7

Is combofix running now ? The website warning was just to ensure you had a genuine copy

If combofix is still not running properly then we will start manually

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Click on Minimal Output at the top
[*]Select All Users[*]Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select “Save”
[*]Double click inside the Custom Scan box at the bottom
[*]A window will appear saying “Click Ok to load a custom scan from a file or Cancel to cancel”
[*]Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
[*]Select scan.txt and click Open. Writing will now appear under the Custom Scan box
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Please attach these files, one at a time and post them in your topic

8

heres your reports

9

:wink:

10

:slight_smile:

11

OK I see the few meanies that are playing around

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pouvk.exe () O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pyqu.exe () O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pouvk.exe () O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pyqu.exe () O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present O7 - HKU\S-1-5-21-894682100-2769844139-1942833101-1000\Software\Policies\Microsoft\Internet Explorer\control panel present O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Windows\system32\config\systemprofile\AppData\Roaming\hotfix.exe) - C:\Windows\System32\config\systemprofile\AppData\Roaming\hotfix.exe File not found O20 - HKU\S-1-5-18 Winlogon: Shell - (C:\Windows\system32\config\systemprofile\AppData\Roaming\hotfix.exe) - C:\Windows\System32\config\systemprofile\AppData\Roaming\hotfix.exe File not found O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found [2010/10/07 16:28:16 | 000,843,264 | ---- | M] () -- C:\Windows\System32\drivers\smezr.sys [2010/10/02 01:54:36 | 000,000,112 | ---- | M] () -- C:\ProgramData\2o0CsGOK.dat

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

12

im really sorry i couldnt find the report i hope posting it is ok, I got a virus warning straight away then it run ok heres your report :-

All processes killed
========== OTL ==========
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pouvk.exe moved successfully.
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pyqu.exe moved successfully.
File C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pouvk.exe not found.
File C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pyqu.exe not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\control panel\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\restrictions\ deleted successfully.
Registry key HKEY_USERS.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel\ not found.
Registry key HKEY_USERS\S-1-5-21-894682100-2769844139-1942833101-1000\Software\Policies\Microsoft\Internet Explorer\control panel\ deleted successfully.
Registry value HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell:C:\Windows\system32\config\systemprofile\AppData\Roaming\hotfix.exe deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell:C:\Windows\system32\config\systemprofile\AppData\Roaming\hotfix.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
File C:\Windows\System32\drivers\smezr.sys not found.
C:\ProgramData\2o0CsGOK.dat moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Could not flush the DNS Resolver Cache: Function failed during execution.
C:\Users\Daddy\Desktop\New Folder (2)\cmd.bat deleted successfully.
C:\Users\Daddy\Desktop\New Folder (2)\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Daddy
->Temp folder emptied: 32398175 bytes
->Temporary Internet Files folder emptied: 8818465 bytes
->Java cache emptied: 53068101 bytes
->FireFox cache emptied: 60714703 bytes
->Flash cache emptied: 271195 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 757760 bytes
%systemroot%\System32 .tmp files removed: 1619120 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 8279231 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 13440554 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes
RecycleBin emptied: 819818867 bytes

Total Files Cleaned = 953.00 mb

[EMPTYFLASH]

User: All Users

User: Daddy
->Flash cache emptied: 0 bytes

User: Default

User: Default User

User: Public

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.14.1 log created on 10082010_110128

Files\Folders moved on Reboot…
File\Folder C:\Users\Daddy\AppData\Local\Temp~DFF451.tmp not found!
File\Folder C:\Users\Daddy\AppData\Local\Temp~DFF46B.tmp not found!
File\Folder C:\Users\Daddy\AppData\Local\Temp~DFF4D2.tmp not found!
File\Folder C:\Users\Daddy\AppData\Local\Temp~DFF4DF.tmp not found!
File\Folder C:\Users\Daddy\AppData\Local\Temp~DFF528.tmp not found!
File\Folder C:\Users\Daddy\AppData\Local\Temp~DFF534.tmp not found!
C:\Users\Daddy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\68PC6W7W\index[1].htm moved successfully.
File\Folder C:\Windows\temp_avast4_\unp104529900.tmp not found!
File\Folder C:\Windows\temp_avast4_\unp131018488.tmp not found!
File\Folder C:\Windows\temp_avast4_\unp226551445.tmp not found!
File\Folder C:\Windows\temp_avast4_\unp24613228.tmp not found!
File\Folder C:\Windows\temp_avast4_\unp97027036.tmp not found!
File move failed. C:\Windows\temp_avast4_\Webshlock.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\CLDigitalHome\CLMS_AGENT_LOG1.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\CLDigitalHome\PCMMediaServer.log scheduled to be moved on reboot.

Registry entries deleted on Reboot…

13

and the rootkit warning came up again :frowning:

14

did you try sophos anti rootkit?

15

just completed the second scan with sophos anti rootkit and the grey rootkit box is still comming up :-\

16

OK lets go hunting for the rootkit

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

17

my combofix is the one you told me to dl lastweek when i start it it DL`S a newer version 4me then runs that one, Combofix will run until 5-7 secs after the blue admin box appears then the message “The name cfscript appears tobe spelt incorrectly” comes up and combofix stops working, thanks again guys, ps ive tried sophos as surgested it gos through fine clears it all then the bloody grey box of rootkit doom comes back ???

18

and the blue screen of doom is happening now aswell (memory dump)

19

right ive completed the scan and the report is attached many thanks

20

OK it is not a rootkit - it is a corrupted rundll32 file

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


Renv::
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader .exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
c:\program files\PowerISO\PWRISOVM .exe
c:\windows\System32\rundll32 .exe

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new OTListit log.