also @ TechSpot: Huawei Ascend P6 smartphone is the thinnest in the world at 6.18mm

[Closed] Rootkit found

Discussion in 'Virus and Malware Removal' started by Padredw, Nov 16, 2012.

Page 4 of 4

  1. Jay Pfoutz Malware Helper Posts: 4,286   +49

    • Please download Unhide by Grinler from here and save it to your desktop.
    • Double click unhide.exe to run the tool.
    • It will take some time to go through all your files, so please be patient.
    • Post logs, if any.


    RogueKiller Scan

    If you have any old version, delete that and do a new one please:

    • Download RogueKiller and save it on your desktop.
    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
    [IMG]

    • Wait for the end of the scan.
    • The report has been created on the desktop.
    • Click on the Delete button.
    [IMG]

    • The report has been created on the desktop.
    • Next click on the ShortcutsFix

      [IMG]
    • The report has been created on the desktop.
    Please post:

    All RKreport.txt text files located on your desktop.
    Jay Pfoutz, Nov 29, 2012
    #61

  2. Padredw Newcomer, in training Posts: 57

    Here is the log from UNHIDE:

    Unhide by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2012 BleepingComputer.com
    More Information about Unhide.exe can be found at this link:
    http://www.bleepingcomputer.com/forums/topic405109.html

    Program started at: 11/29/2012 10:41:57 AM
    Windows Version: Windows 7

    Please be patient while your files are made visible again.

    Processing the C:\ drive
    Finished processing the C:\ drive. 157763 files processed.

    Processing the D:\ drive
    Finished processing the D:\ drive. 9275 files processed.

    Processing the Q:\ drive
    Finished processing the Q:\ drive. 0 files processed.

    The C:\Users\Padredw\AppData\Local\Temp\smtmp\ folder does not exist!!
    Unhide cannot restore your missing shortcuts!!
    Please see this topic in order to learn how to restore default
    Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html

    Searching for Windows Registry changes made by FakeHDD rogues.
    - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
    - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
    - Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    No registry changes detected.

    Program finished at: 11/29/2012 10:44:48 AM
    Execution time: 0 hours(s), 2 minute(s), and 51 seconds(s)
    Padredw, Nov 29, 2012
    #62

  3. Padredw Newcomer, in training Posts: 57

    REPORT from RougeKiller:

    RogueKiller V8.3.1 [Nov 26 2012] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Padredw [Admin rights]
    Mode : Shortcuts HJfix -- Date : 11/29/2012 11:06:11

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ File attributes restored: ¤¤¤
    Desktop: Success 0 / Fail 0
    Quick launch: Success 0 / Fail 0
    Programs: Success 2 / Fail 0
    Start menu: Success 0 / Fail 0
    User folder: Success 91 / Fail 0
    My documents: Success 0 / Fail 0
    My favorites: Success 0 / Fail 0
    My pictures: Success 0 / Fail 0
    My music: Success 0 / Fail 0
    My videos: Success 0 / Fail 0
    Local drives: Success 25 / Fail 0
    Backup: [NOT FOUND]

    Drives:
    [C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
    [D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
    [Q:] \Device\SftVol -- 0x3 --> Restored

    Finished : << RKreport[3]_SC_11292012_02d1106.txt >>
    RKreport[1]_S_11292012_02d1104.txt ; RKreport[2]_D_11292012_02d1105.txt ; RKreport[3]_SC_11292012_02d1106.txt
    Padredw, Nov 29, 2012
    #63

  4. Padredw Newcomer, in training Posts: 57

    ABOVE was Report # 3. Below is Report # 1

    RogueKiller V8.3.1 [Nov 26 2012] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Padredw [Admin rights]
    Mode : Scan -- Date : 11/29/2012 11:04:05

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 4 ¤¤¤
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: SanDisk SSD U100 128GB +++++
    --- User ---
    [MBR] ad783b9bf09aa0a92dc771bf1c09fde3
    [BSP] 1419c486b7ec0f63d56f86313fa755fc : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 113910 Mo
    1 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 233289728 | Size: 8192 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: WD 1600BMV External USB Device +++++
    --- User ---
    [MBR] f3a6ba5017b7aa3832cee05e72b93b55
    [BSP] d0ec2211ba2260ee6d54a28c5292c11f : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[1]_S_11292012_02d1104.txt >>
    RKreport[1]_S_11292012_02d1104.txt
    Padredw, Nov 29, 2012
    #64

  5. Padredw Newcomer, in training Posts: 57

    Report # 2

    RogueKiller V8.3.1 [Nov 26 2012] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Padredw [Admin rights]
    Mode : Remove -- Date : 11/29/2012 11:05:23

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 3 ¤¤¤
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: SanDisk SSD U100 128GB +++++
    --- User ---
    [MBR] ad783b9bf09aa0a92dc771bf1c09fde3
    [BSP] 1419c486b7ec0f63d56f86313fa755fc : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 113910 Mo
    1 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 233289728 | Size: 8192 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: WD 1600BMV External USB Device +++++
    --- User ---
    [MBR] f3a6ba5017b7aa3832cee05e72b93b55
    [BSP] d0ec2211ba2260ee6d54a28c5292c11f : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[2]_D_11292012_02d1105.txt >>
    RKreport[1]_S_11292012_02d1104.txt ; RKreport[2]_D_11292012_02d1105.txt
    Padredw, Nov 29, 2012
    #65

  6. Padredw Newcomer, in training Posts: 57

    BTW. The link to RogueKiller download seemed to work fine on my desktop, but on this (UltraBook) it bought up all sorts of optional downloads--too many to try to record, and NEVER did get the rouguekiller.exe. Fortunately, I found the download site directly. Just a interesting fact about the different responses to the link in your last post.
    Padredw, Nov 29, 2012
    #66
     

  7. Jay Pfoutz Malware Helper Posts: 4,286   +49

    I know, all those download ads are terrible.

    Please run Panda ActiveScan online scan.
    • Choose Quick Scan then click the big green Scan now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • Once the scan is completed, please hit the notepad icon next to the text Export to:
    • Save it to a convenient location such as your Desktop
    • Post the contents of the ActiveScan.txt in your next reply
    Jay Pfoutz, Nov 30, 2012
    #67

  8. Padredw Newcomer, in training Posts: 57

    SEE POST BELOW RE: INTERNET EXPLORER

    OK. The website would not scan directly. Here is the message:

    [IMG]
    Padredw, Nov 30, 2012
    #68

  9. Padredw Newcomer, in training Posts: 57

    SO. . . I went ahead and downloaded as it offered, with the following result:[IMG]h this result:
    Padredw, Nov 30, 2012
    #69

  10. Padredw Newcomer, in training Posts: 57

    It offered no txt file report. I tried a second time with the exact same response. That is where we are . . .
    Padredw, Nov 30, 2012
    #70

  11. Padredw Newcomer, in training Posts: 57

    OK, decided to use Internet Explorer. Here is the report:

    ;***********************************************************************************************************************************************************************************
    ANALYSIS: 2012-11-30 14:41:58
    PROTECTIONS: 1
    MALWARE: 6
    SUSPECTS: 0
    ;***********************************************************************************************************************************************************************************
    PROTECTIONS
    Description Version Active Updated
    ;===================================================================================================================================================================================
    avast! Antivirus Yes Yes
    ;===================================================================================================================================================================================
    MALWARE
    Id Description Type Active Severity Disinfectable Disinfected Location
    ;===================================================================================================================================================================================
    00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No c:\users\padredw\appdata\roaming\microsoft\windows\cookies\low\l5tpmqvz.txt
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\padredw\appdata\roaming\microsoft\windows\cookies\low\9f3xwo9s.txt
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\padredw\appdata\roaming\microsoft\windows\cookies\ypcj9xl7.txt
    00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\padredw\appdata\roaming\microsoft\windows\cookies\low\m1s6espd.txt
    00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\users\padredw\appdata\roaming\microsoft\windows\cookies\17yp3bae.txt
    00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\users\padredw\appdata\roaming\microsoft\windows\cookies\xwp654uo.txt
    00170559 Cookie/Com.com TrackingCookie No 0 Yes No c:\users\padredw\appdata\roaming\microsoft\windows\cookies\yd8t2nep.txt
    ;===================================================================================================================================================================================
    SUSPECTS
    Sent Location
    ;===================================================================================================================================================================================
    ;===================================================================================================================================================================================
    VULNERABILITIES
    Id Severity Description
    ;===================================================================================================================================================================================
    ;===================================================================================================================================================================================
    Padredw, Nov 30, 2012
    #71

  12. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi there. It all appears to be good, so we will finish up to make sure your computer is protected from malware in the future.

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [IMG]
    • Select the More Options tab
      [IMG]
    • In the System Restore and Shadow Backups select Clean up
      [IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete
    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    NOTE: If you already have this installed, you don't have to reinstall it.

    Please download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    • Double-click the CCleaner shortcut on the desktop to start the program.
    • A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
    • On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
    • Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    Jay Pfoutz, Dec 1, 2012
    #72

  13. Padredw Newcomer, in training Posts: 57

    Hello, my patient friend, we have both spent a fair amount of time and website space on this. It is no problem for me, I have enjoyed it, and it should be obvious I am not dependent upon the computer in question, as I use it primarily for traveling and I have no such plans for a while. So ... I have nothing but appreciation for all your efforts. It is simply out of honest that I report to you that the original message which occasioned my entry upon this website, has just appeared as it has, without one exception, upon every startup of this computer. Just to remind you here is that message: (The text of my personal message to you will follow in a separate post.)

    [IMG]
    Padredw, Dec 1, 2012
    #73

  14. Padredw Newcomer, in training Posts: 57

    Now, for the good news: the computer seems to be operating just fine. I have never detected any malfunction based on that message, but it is still there, as it has been throughout our extended conversation.

    In fact, there is still that additional anomaly that appeared during our efforts: every time I shut down, I get the normal Windows message that 1 of 1 updates is being installed and that I should not turn off or unplug my computer. On attempt at manual install, the one update fails.

    You have nothing but my good will and appreciation. None of this is intended as complaint, but I do not wish to set up restore point, etc. yet.

    Remember, have patience with an 80 year old--who is doing his best.

    Thank you, friend.
    Padredw, Dec 1, 2012
    #74

  15. Jay Pfoutz Malware Helper Posts: 4,286   +49

    It is recommended to do a reformat and reinstall of your operating system. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety.

    I recommend the following articles to read:
    Guide for format and reinstall:
    http://www.helpmyos.com/tutorials-s...-your-operating-system-the-easy-way-t1307.htm
    Jay Pfoutz, Dec 2, 2012
    #75

  16. Padredw Newcomer, in training Posts: 57

    Thanks, but I don't think I will take that route just yet. So far I haven't seen any evidence of problems caused by that repeated message. Until I find out more about the specific threat, I'll just wait and see.
    Padredw, Dec 2, 2012
    #76
Page 4 of 4
Topic Status:
Not open for further replies.

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...

Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.