[Closed] Rootkit found

Jay Pfoutz · Nov 29, 2012

Please download Unhide by Grinler from here and save it to your desktop.

Double click unhide.exe to run the tool.

It will take some time to go through all your files, so please be patient.

Post logs, if any.

RogueKiller Scan

If you have any old version, delete that and do a new one please:

Download RogueKiller and save it on your desktop.

Quit all programs

Start RogueKiller.exe.

Wait until Prescan has finished ...

Click on Scan

Wait for the end of the scan.

The report has been created on the desktop.

Click on the Delete button.

The report has been created on the desktop.

Next click on the ShortcutsFix

The report has been created on the desktop.

Please post:

All RKreport.txt text files located on your desktop.

Padredw · Nov 29, 2012

Here is the log from UNHIDE:

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 11/29/2012 10:41:57 AM
Windows Version: Windows 7

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 157763 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 9275 files processed.

Processing the Q:\ drive
Finished processing the Q:\ drive. 0 files processed.

The C:\Users\Padredw\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Program finished at: 11/29/2012 10:44:48 AM
Execution time: 0 hours(s), 2 minute(s), and 51 seconds(s)

Padredw · Nov 29, 2012

REPORT from RougeKiller:

RogueKiller V8.3.1 [Nov 26 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Padredw [Admin rights]
Mode : Shortcuts HJfix -- Date : 11/29/2012 11:06:11

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 2 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 91 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 25 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[Q:] \Device\SftVol -- 0x3 --> Restored

Finished : << RKreport[3]_SC_11292012_02d1106.txt >>
RKreport[1]_S_11292012_02d1104.txt ; RKreport[2]_D_11292012_02d1105.txt ; RKreport[3]_SC_11292012_02d1106.txt

Padredw · Nov 29, 2012

ABOVE was Report # 3. Below is Report # 1

RogueKiller V8.3.1 [Nov 26 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Padredw [Admin rights]
Mode : Scan -- Date : 11/29/2012 11:04:05

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SanDisk SSD U100 128GB +++++
--- User ---
[MBR] ad783b9bf09aa0a92dc771bf1c09fde3
[BSP] 1419c486b7ec0f63d56f86313fa755fc : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 113910 Mo
1 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 233289728 | Size: 8192 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: WD 1600BMV External USB Device +++++
--- User ---
[MBR] f3a6ba5017b7aa3832cee05e72b93b55
[BSP] d0ec2211ba2260ee6d54a28c5292c11f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_11292012_02d1104.txt >>
RKreport[1]_S_11292012_02d1104.txt

Padredw · Nov 29, 2012

Report # 2

RogueKiller V8.3.1 [Nov 26 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Padredw [Admin rights]
Mode : Remove -- Date : 11/29/2012 11:05:23

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SanDisk SSD U100 128GB +++++
--- User ---
[MBR] ad783b9bf09aa0a92dc771bf1c09fde3
[BSP] 1419c486b7ec0f63d56f86313fa755fc : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 113910 Mo
1 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 233289728 | Size: 8192 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: WD 1600BMV External USB Device +++++
--- User ---
[MBR] f3a6ba5017b7aa3832cee05e72b93b55
[BSP] d0ec2211ba2260ee6d54a28c5292c11f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_11292012_02d1105.txt >>
RKreport[1]_S_11292012_02d1104.txt ; RKreport[2]_D_11292012_02d1105.txt

Padredw · Nov 29, 2012

BTW. The link to RogueKiller download seemed to work fine on my desktop, but on this (UltraBook) it bought up all sorts of optional downloads--too many to try to record, and NEVER did get the rouguekiller.exe. Fortunately, I found the download site directly. Just a interesting fact about the different responses to the link in your last post.

Jay Pfoutz · Nov 30, 2012

I know, all those download ads are terrible.

Please run Panda ActiveScan online scan.

Choose Quick Scan then click the big green Scan now button

If it wants to install an ActiveX component allow it

It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

Once the scan is completed, please hit the notepad icon next to the text Export to:

Save it to a convenient location such as your Desktop

Post the contents of the ActiveScan.txt in your next reply

Padredw · Nov 30, 2012

SEE POST BELOW RE: INTERNET EXPLORER

OK. The website would not scan directly. Here is the message:

Padredw · Nov 30, 2012

SO. . . I went ahead and downloaded as it offered, with the following result:h this result:

Padredw · Nov 30, 2012

It offered no txt file report. I tried a second time with the exact same response. That is where we are . . .

Padredw · Nov 30, 2012

OK, decided to use Internet Explorer. Here is the report:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2012-11-30 14:41:58
PROTECTIONS: 1
MALWARE: 6
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! Antivirus Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No c:\users\padredw\appdata\roaming\microsoft\windows\cookies\low\l5tpmqvz.txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\padredw\appdata\roaming\microsoft\windows\cookies\low\9f3xwo9s.txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\padredw\appdata\roaming\microsoft\windows\cookies\ypcj9xl7.txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\padredw\appdata\roaming\microsoft\windows\cookies\low\m1s6espd.txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\users\padredw\appdata\roaming\microsoft\windows\cookies\17yp3bae.txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\users\padredw\appdata\roaming\microsoft\windows\cookies\xwp654uo.txt
00170559 Cookie/Com.com TrackingCookie No 0 Yes No c:\users\padredw\appdata\roaming\microsoft\windows\cookies\yd8t2nep.txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Jay Pfoutz · Dec 1, 2012

Hi there. It all appears to be good, so we will finish up to make sure your computer is protected from malware in the future.

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

Go to Control Panel and select System and Maintenance

Select System

On the left select Advance System Settings and accept the warning if you get one

Select System Protection Tab

Select Create at the bottom

Type in a name I.e. Clean

Select Create

Now we can purge the infected ones

Go back to the System and Maintenance page

Select Performance Information and Tools

On the left select Open Disk Cleanup

Select Files from all users and accept the warning if you get one

In the drop down box select your main drive I.e. C

For a few moments the system will make some calculations:

Select the More Options tab

In the System Restore and Shadow Backups select Clean up

Select Delete on the pop up

Select OK

Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

Save it to your Desktop.

Double click OTC.exe.

Click the CleanUp! button.

If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

NOTE: If you already have this installed, you don't have to reinstall it.

Please download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

Double-click the CCleaner shortcut on the desktop to start the program.

A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.

On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.

Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

Save it to your Desktop.

Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Padredw · Dec 1, 2012

Hello, my patient friend, we have both spent a fair amount of time and website space on this. It is no problem for me, I have enjoyed it, and it should be obvious I am not dependent upon the computer in question, as I use it primarily for traveling and I have no such plans for a while. So ... I have nothing but appreciation for all your efforts. It is simply out of honest that I report to you that the original message which occasioned my entry upon this website, has just appeared as it has, without one exception, upon every startup of this computer. Just to remind you here is that message: (The text of my personal message to you will follow in a separate post.)

Padredw · Dec 1, 2012

Now, for the good news: the computer seems to be operating just fine. I have never detected any malfunction based on that message, but it is still there, as it has been throughout our extended conversation.

In fact, there is still that additional anomaly that appeared during our efforts: every time I shut down, I get the normal Windows message that 1 of 1 updates is being installed and that I should not turn off or unplug my computer. On attempt at manual install, the one update fails.

You have nothing but my good will and appreciation. None of this is intended as complaint, but I do not wish to set up restore point, etc. yet.

Remember, have patience with an 80 year old--who is doing his best.

Thank you, friend.

Jay Pfoutz · Dec 2, 2012

It is recommended to do a reformat and reinstall of your operating system. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety.

I recommend the following articles to read:

When should I re-format? How should I reinstall?

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

Where to draw the line? When to recommend a format and reinstall?

Guide for format and reinstall:
http://www.helpmyos.com/tutorials-s...-your-operating-system-the-easy-way-t1307.htm

Padredw · Dec 2, 2012

Thanks, but I don't think I will take that route just yet. So far I haven't seen any evidence of problems caused by that repeated message. Until I find out more about the specific threat, I'll just wait and see.

TechSpot

Welcome to TechSpot

[Closed] Rootkit found

Jay Pfoutz Malware Helper Posts: 4,286 +49

Padredw Newcomer, in training Posts: 57

Padredw Newcomer, in training Posts: 57

Padredw Newcomer, in training Posts: 57

Padredw Newcomer, in training Posts: 57

Padredw Newcomer, in training Posts: 57

Jay Pfoutz Malware Helper Posts: 4,286 +49

Padredw Newcomer, in training Posts: 57

Padredw Newcomer, in training Posts: 57

Padredw Newcomer, in training Posts: 57

Padredw Newcomer, in training Posts: 57

Jay Pfoutz Malware Helper Posts: 4,286 +49

Padredw Newcomer, in training Posts: 57

Padredw Newcomer, in training Posts: 57

Jay Pfoutz Malware Helper Posts: 4,286 +49

Padredw Newcomer, in training Posts: 57

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.