Solved I think I have a rootkit and I can't get rid of it

[ickwonder]

Please help me. I am being redirected from site to site, all kinds of pop-ups. computer is running more sluggish than usual. something is really off. oh yeah and I cant run windows update.

Here are my logs:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4408

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.11

8/8/2010 10:13:48 PM
mbam-log-2010-08-08 (22-13-48).txt

Scan type: Quick scan
Objects scanned: 160834
Time elapsed: 11 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-08 23:43:43
Windows 5.1.2600 Service Pack 3
Running: k7o3q0kc.exe; Driver: C:\DOCUME~1\Danette\LOCALS~1\Temp\axloapod.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\system32\svchost.exe[600] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[600] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 009E000A
.text C:\WINDOWS\explorer.exe[1236] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\explorer.exe[1236] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A
.text C:\WINDOWS\explorer.exe[1236] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- EOF - GMER 1.0.15 ----



The rest are attatched

 

[crunchie]

Hi and welcome to the Techspot forums .

Please give as much information as possible that is wrong with the pc.

==

Please download JavaRa

If you get this message:
Problems with the download? Please use this direct link or try another mirror.

Select the Direct link download unzip it to your Desktop.

Double click JavaRa.exe then click Remove Older Versions.

Follow any prompts; a log will popup (JavaRa.log)-- please post the contents of this log.

Next, open JavaRa.exe again, and select Search For Updates.

Select Update Using Sun Java's Website --> Search, and continue the instructions for downloading and installing the latest Java version. Look for JDK 6 Update 21 (JDK or JRE). On the right select this one Download JRE..

In Vista and Windows 7 run the tool as Administrator.

================

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

[ickwonder]

Here are the reports

 

[crunchie]

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\documents and settings\NetworkService\Local Settings\Application Data\iaxwibtwy
c:\windows\Isezohux.dat
c:\documents and settings\Danette\Local Settings\Application Data\igpcjwexq
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5643

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

=============

Please let me know how the pc is now.

 

[ickwonder]

So now everything is more responsive, the CPU usage is down, so far I haven't been redirected to another site. the computer seems less noisy. thank you....here's the report.

 

[ickwonder]

oh yeah windows update works again...thanks again

 

[crunchie]

Good news .

Just need to do a quick check for any remnants.

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

• You will need to use Internet Explorer to complete this scan.
• You will need to temporarily Disable your current Anti-virus program.
• Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
• When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

• Kaspersky Online Scanner ​

• Panda Active Scan​

• Trend Micro HouseCall​

• F-Secure Online Virus Scanner​

 

[ickwonder]

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=453a6d44053a974183ca21619338e9ef
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-11 03:43:28
# local_time=2010-08-10 08:43:28 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 791026 791026 0 0
# compatibility_mode=1024 16777215 100 0 3488145 3488145 0 0
# compatibility_mode=1797 16775141 100 93 0 40470639 123345 0
# compatibility_mode=3841 16777215 0 15 98617 42365328 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=77752
# found=5
# cleaned=0
# scan_time=1865
C:\Documents and Settings\Danette\Incomplete\T-4223976-fly fashion nip tuck CD quality.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Danette\Incomplete\T-4320425-its your birthday john lennon [256k quality].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Danette\Incomplete\T-6472385-i kill people jon lajoie.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Qoobox\32788R22FWJFW\isapnp.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Danette\Local Settings\Application Data\{1BD2584C-B253-4DC1-BCF7-1E9F8AACAA2E}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent.NVQFFQI trojan 00000000000000000000000000000000 I

 

[crunchie]

You can either run eset again and have it remove those entries, or do the following;

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\Danette\Incomplete\T-4223976-fly fashion nip tuck CD quality.mp3
C:\Documents and Settings\Danette\Incomplete\T-4320425-its your birthday john lennon [256k quality].mp3
C:\Documents and Settings\Danette\Incomplete\T-6472385-i kill people jon lajoie.mp3

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

===========

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

==

We will remove the other two entries when we are done.

 

[ickwonder]

ok got that done

 

[ickwonder]

Here combofix

 

[crunchie]

Good. Let me know how the pc is now and then we can go about clearing up the tools used.

 

[ickwonder]

my pc seems a lot better than before, but at times it seems like works a lot harder than should

 

[crunchie]

Check in Task Manager under Processes and see if there is any one Process that is using lots of CPU time.

 

[ickwonder]

system idle process

 

[ickwonder]

but i think thats normal. now when i think of it after like 10 mins after start up it seems fine.

 

[crunchie]

Exactly as it should be when you are doing nothing with it .
Maybe it could do with a good defrag?

Other than that, I think we can eliminate malware as being the problem at this point, so please download OTC.exe... by OldTimer. Save it to your desktop.

1. Double click on OTC.exe.
   If you recieve the "Open File - Security Warning" prompt, press "Run".
2. Click on CleanUp!.
3. Click "Yes" to the Begin cleanup process? prompt.
4. Click "Yes" ... when prompted to reboot the computer to remove files.

Your computer should restart automatically. If it doesn't, please do so manually.

========

Try it out for a couple of days and if you have any further concerns, post back .

 

[ickwonder]

ok well thank you. everything seems to be ok. ummm maybe i should upgrade the ram as well this old thing is still on 504 mb.

 

[crunchie]

Yeah, a nice little 1 or 2 gig would be nice .