TechSpot

I think I have a rootkit and I can't get rid of it

Solved
By ickwonder
Aug 9, 2010
Topic Status:
Not open for further replies.
  1. Please help me. i am being redirected from site to site, all kinds of pop-ups. computer is running more sluggish than usual. something is really off. oh yeah and i cant run windows update.

    Here are my logs:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4408

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 7.0.5730.11

    8/8/2010 10:13:48 PM
    mbam-log-2010-08-08 (22-13-48).txt

    Scan type: Quick scan
    Objects scanned: 160834
    Time elapsed: 11 minute(s), 40 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-08-08 23:43:43
    Windows 5.1.2600 Service Pack 3
    Running: k7o3q0kc.exe; Driver: C:\DOCUME~1\Danette\LOCALS~1\Temp\axloapod.sys


    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
    .text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
    .text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
    .text C:\WINDOWS\system32\svchost.exe[600] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00FF000A
    .text C:\WINDOWS\system32\svchost.exe[600] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 009E000A
    .text C:\WINDOWS\explorer.exe[1236] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
    .text C:\WINDOWS\explorer.exe[1236] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A
    .text C:\WINDOWS\explorer.exe[1236] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

    ---- EOF - GMER 1.0.15 ----



    The rest are attatched

    Attached Files:

  2. crunchie

    crunchie Malware Helper Posts: 761

    Hi and welcome to the Techspot forums :).

    Please give as much information as possible that is wrong with the pc.

    ==

    Please download JavaRa

    If you get this message:
    Problems with the download? Please use this direct link or try another mirror.

    Select the Direct link download unzip it to your Desktop.

    Double click JavaRa.exe then click Remove Older Versions.

    Follow any prompts; a log will popup (JavaRa.log)-- please post the contents of this log.

    Next, open JavaRa.exe again, and select Search For Updates.

    Select Update Using Sun Java's Website --> Search, and continue the instructions for downloading and installing the latest Java version. Look for JDK 6 Update 21 (JDK or JRE). On the right select this one Download JRE..

    In Vista and Windows 7 run the tool as Administrator.

    ================

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
  3. ickwonder

    ickwonder Newcomer, in training Topic Starter

    here are the reports

    Attached Files:

  4. crunchie

    crunchie Malware Helper Posts: 761

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    Code:
    KillAll::
    
    File::
    c:\documents and settings\NetworkService\Local Settings\Application Data\iaxwibtwy
    c:\windows\Isezohux.dat
    c:\documents and settings\Danette\Local Settings\Application Data\igpcjwexq
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5643
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Save the above as CFScript.txt

    4. Physically disconnect from the internet.

    5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
    • Combofix.txt
    Please take note:

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    =============

    Please let me know how the pc is now.
  5. ickwonder

    ickwonder Newcomer, in training Topic Starter

    so now everything is more responsive, the CPU usage is down, so far i haven't been redirected to another site. the computer seems less noisy. thank you....here's the report.

    Attached Files:

  6. ickwonder

    ickwonder Newcomer, in training Topic Starter

    oh yeah windows update works again...thanks again
  7. crunchie

    crunchie Malware Helper Posts: 761

    Good news :).

    Just need to do a quick check for any remnants.

    Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.
    • You will need to use Internet Explorer to complete this scan.
    • You will need to temporarily Disable your current Anti-virus program.
    • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
    • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

    NOTE: If you are unable to complete the ESET scan, please try another from the list below:

  8. ickwonder

    ickwonder Newcomer, in training Topic Starter

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=453a6d44053a974183ca21619338e9ef
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-08-11 03:43:28
    # local_time=2010-08-10 08:43:28 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 791026 791026 0 0
    # compatibility_mode=1024 16777215 100 0 3488145 3488145 0 0
    # compatibility_mode=1797 16775141 100 93 0 40470639 123345 0
    # compatibility_mode=3841 16777215 0 15 98617 42365328 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=77752
    # found=5
    # cleaned=0
    # scan_time=1865
    C:\Documents and Settings\Danette\Incomplete\T-4223976-fly fashion nip tuck CD quality.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
    C:\Documents and Settings\Danette\Incomplete\T-4320425-its your birthday john lennon [256k quality].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
    C:\Documents and Settings\Danette\Incomplete\T-6472385-i kill people jon lajoie.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
    C:\Qoobox\32788R22FWJFW\isapnp.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Documents and Settings\Danette\Local Settings\Application Data\{1BD2584C-B253-4DC1-BCF7-1E9F8AACAA2E}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent.NVQFFQI trojan 00000000000000000000000000000000 I
  9. crunchie

    crunchie Malware Helper Posts: 761

    You can either run eset again and have it remove those entries, or do the following;

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    Code:
    
    File::
    C:\Documents and Settings\Danette\Incomplete\T-4223976-fly fashion nip tuck CD quality.mp3
    C:\Documents and Settings\Danette\Incomplete\T-4320425-its your birthday john lennon [256k quality].mp3
    C:\Documents and Settings\Danette\Incomplete\T-6472385-i kill people jon lajoie.mp3
    
    
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Save the above as CFScript.txt

    4. Physically disconnect from the internet.

    5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
    • Combofix.txt
    Please take note:

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    ===========

    Download and Run ATF Cleaner
    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    ==

    We will remove the other two entries when we are done.
  10. ickwonder

    ickwonder Newcomer, in training Topic Starter

    ok got that done
  11. ickwonder

    ickwonder Newcomer, in training Topic Starter

    here combofix

    Attached Files:

     
  12. crunchie

    crunchie Malware Helper Posts: 761

    Good. Let me know how the pc is now and then we can go about clearing up the tools used.
  13. ickwonder

    ickwonder Newcomer, in training Topic Starter

    my pc seems a lot better than before, but at times it seems like works a lot harder than should
  14. crunchie

    crunchie Malware Helper Posts: 761

    Check in Task Manager under Processes and see if there is any one Process that is using lots of CPU time.
  15. ickwonder

    ickwonder Newcomer, in training Topic Starter

    system idle process
  16. ickwonder

    ickwonder Newcomer, in training Topic Starter

    but i think thats normal. now when i think of it after like 10 mins after start up it seems fine.
  17. crunchie

    crunchie Malware Helper Posts: 761

    Exactly as it should be when you are doing nothing with it :).
    Maybe it could do with a good defrag?

    Other than that, I think we can eliminate malware as being the problem at this point, so please download OTC.exe... by OldTimer. Save it to your desktop.
    1. Double click on OTC.exe.
      If you recieve the "Open File - Security Warning" prompt, press "Run".
    2. Click on CleanUp!.
    3. Click "Yes" to the Begin cleanup process? prompt.
    4. Click "Yes" ... when prompted to reboot the computer to remove files.
    Your computer should restart automatically. If it doesn't, please do so manually.

    ========

    Try it out for a couple of days and if you have any further concerns, post back :).
  18. ickwonder

    ickwonder Newcomer, in training Topic Starter

    ok well thank you. everything seems to be ok. ummm maybe i should upgrade the ram as well this old thing is still on 504 mb.
  19. crunchie

    crunchie Malware Helper Posts: 761

    Yeah, a nice little 1 or 2 gig would be nice :).
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.