Win 32: Rootkit-gen [Rtk] detection - help needed

Hello - So Avast detected a couple of instances of the above virus and they have been moved to the virus chest. My wife’s hotmail account was hacked and so wanted to check if there was an undetected virus on the PC. Funnily, these instances were detected by Avast when I was running a MBAM scan. Also, I have the Zone Alarm free Firewall which for some reason completely stopped working when I tried to update it now.

I have included the logs for MBAM and Hijack this. Any help would be appreciated.

Hi :wink:

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:
     1. DDS.txt
     2. Attach.txt

Save both reports to your desktop. Attach DDS.txt back to topic.

Thank you for your quick reply.

I got some weird error message from Windows Script Host and although I had saved both the files on my desktop, I can’t see them any more.

Also, Avast had recommended opening dds.scr using the “sandbox”. Does this make a difference?

Should I try this again?

Delete current copy of DDS program and download s fresh copy to your Desktop…
Disable any script blocker, and then double click dds file to run the tool.

If avast pop-up waring to open file in sandbox,just select “Open normaly

http://images.brighthub.com/a0/5/a05cdfbdd36f3c18f20d2443ce8135c4a36ad576_large.jpg

======================

edit: Or before you run DDS ,disable sandbox

[*] Double-clik on avast Antivirus icon (
http://amf.mycity.rs/pg/images/avast5.png
) to run it.
[*] On the left side under the Additional Protection click AutoSandbox and then click on the Settings button from right side.
[*] In the new window that opens on the left side click the AutoSandbox,
and Uncheck the option (
http://amf.mycity.rs/pg/images/checkmark.png
) Enable AutoSandbox and click OK button.

Ok. Opening it normally worked. I have attached the DDS.txt file.

First create new system restore point.
Go to Start / All Programs / Accessories / System Tools / System Restore.
Click Create a restore point, and then click Next.

In the text box labeled Restore Point Description, type a name for this restore point.

how to…
http://bertk.mvps.org/html/createrp.html

======================

http://www.mycity.rs/images/smiles/icon_arrow.gif
Download The Avenger from here.
http://swandog46.geekstogo.com/avenger2/download.php
Extract The Avenger arhive (zip/rar) on Desktop.
Double click on avenger.exe to run it. On pop-up click Ok.
Copy the text inside the codebox below to the clipboard by highlighting it and then pressing Ctrl+C. (DO NOT include Code: )

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {CCC7A320-B3CA-4199-B1A6-9F516DD69829}

Files to delete:
c:\windows\system32\drivers\ujleik.sys

Drivers to delete:
npimz

In the avenger window, click the Paste Script from Clipboard,
http://img220.imageshack.us/img220/8923/pastets4.png
button.

Click the Execute button.

You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed — The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.

Please post this log in your next reply. (typically C:[i]avenger.txt[/i]).

==================================================

http://www.mycity.rs/images/smiles/icon_arrow.gif
Re-Run DDS program and attach here fresh DDS.txt log

===================================================

http://www.mycity.rs/images/smiles/icon_arrow.gif
Download aswMBR to your desktop.

[*] Double click the aswMBR icon to run it.
[*] Vista and Windows 7 users right click the icon and choose “Run as administrator”.
[*] Click the Scan button to start scan.
[*] When it finishes, press the Save log button, save the logfile to your desktop and post its contents in your next reply.

Hi,

Here it is :
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP


Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger


Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file “c:\windows\system32\drivers\ujleik.sys” not found!
Deletion of file “c:\windows\system32\drivers\ujleik.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
→ the object does not exist

Driver “npimz” deleted successfully.
Registry value “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{CCC7A320-B3CA-4199-B1A6-9F516DD69829}” deleted successfully.

Completed script processing.


Finished! Terminate.

I have attached the DDS file.

Here is the aswMBR log
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-15 19:23:18

19:23:18.203 OS Version: Windows 5.1.2600 Service Pack 3
19:23:18.203 Number of processors: 1 586 0x4C02
19:23:18.203 ComputerName: CHIKKI UserName: Admin
19:23:18.875 Initialize success
19:23:23.093 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\0000007e
19:23:23.093 Disk 0 Vendor: HTS541040G9SA00 MB2OC60P Size: 38166MB BusType: 3
19:23:23.125 Disk 0 MBR read successfully
19:23:23.140 Disk 0 MBR scan
19:23:23.140 Disk 0 unknown MBR code
19:23:23.156 Disk 0 scanning sectors +78156225
19:23:23.187 Disk 0 scanning C:\WINDOWS\system32\drivers
19:23:31.171 Service scanning
19:23:32.437 Disk 0 trace - called modules:
19:23:32.468 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
19:23:32.468 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a8dfab8]
19:23:32.484 3 CLASSPNP.SYS[f74f7fd7] → nt!IofCallDriver → \Device\0000007f[0x8a931638]
19:23:32.500 5 ACPI.sys[f735e620] → nt!IofCallDriver → \Device\0000007e[0x8a856030]
19:23:32.515 Scan finished successfully
19:23:55.265 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Admin\Desktop\MBR.dat”
19:23:55.718 The log file has been saved successfully to “C:\Documents and Settings\Admin\Desktop\aswMBR.txt”

Create Bacth file
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:

@echo off
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar" /v {CCC7A320-B3CA-4199-B1A6-9F516DD69829} /F

Save this as fix.bat Choose to Save type as - All Files
and where to save - Desktop - then close the Notepad file.

It should look like this:  

http://i526.photobucket.com/albums/cc345/MPKwings/batfileicon.gif
<–XP
Double-click on fix.bat to run it.

=============================

Reboot computer. There is no active malware on your system.
How is your computer running now?

It seems to be working fine now. Couple of questions though: 1) Should I reinstall Zone Alarm since it doesn’t seem to be opening?
2) Should I delete the 2 files in the Avast Virus chest

Hi Magna,

Please let me know when you get a chance. Also, I keep getting the ‘Windows Explorer crashed’ message.

1) Should I reinstall Zone Alarm since it doesn't seem to be opening? 2) Should I delete the 2 files in the Avast Virus chest
  1. I have no idea why Zone Alarm is not working. Reinstall it does not hurt anything.
  2. If you wish :slight_smile:

let’s do an extra check ;D

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

Run ComboFix.
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

For Zone Alarm I am getting this error message now"
Could not load the DLL library C:\windows\system32\zlcomm.dl

I have attached the log fot combofix

Log looks good.
If you wish you may run Malwarebytes program…
http://www.malwarebytes.org/
Download >> Install >> Update >> Quick Scan >> Ok; Remove Selected

for Zone Alarm error just reinstall program or try repair from Control Panel…

If you still have a error messages…try this

1.Create new system restore point.
2. Click Start > Run and type

sfc /scannow

and the click OK.
Note the space between the c and the /
You may need your Windows XP CD so have it ready.
If you have Service Pack 2 (SP2) or SP3 installed, you will need the SP2 or SP3 version of the version of the CD. This can be done with a borrowed CD, if you don’t have one.

  1. Allow the scan to run and when completed, reboot the system.
Information about SFC
SFC gives an administrator the ability to scan all protected files to verify their versions and it will attempt to replace missing or corrupted system files by proper versions if it can locate a valid copy on your hard disk. If it cannot find a copy on your hard disk it will ask you to insert your Windows XP CD. You must have a valid copy of your Windows service pack (SP) revision level for this to work properly. More details on System File Checker can be found in the below link:
    http://support.microsoft.com/kb/310747
The /scannow option scans all protected system files immediately and replaces incorrect versions with correct Microsoft versions. This command may require access to the Windows installation source files</blockquote>.

will do…

thanks a lot for all your help Magna…much appreciated… :slight_smile: