Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Rootkit infection - can't remove with Malware Bytes, Kaspers

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Rootkit infection - can't remove with Malware Bytes, Kas

Unread postby askey127 » May 18th, 2011, 7:49 pm

Go to Start, Control panel, Programs, and open MicroSoft Security Essentials.
You should see it easily.
You can also open Security Center in Control panel and look at your AntiVirus settings that way.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Re: Rootkit infection - can't remove with Malware Bytes, Kas

Unread postby chanchita » May 18th, 2011, 9:17 pm

OK, Thanks again for all your help. I just uninstalled MS security Essentials temporarily, because I couldn't find how to stop it from running. I ran ComboFix. The Log is posted below:

ComboFix 11-05-17.03 - student 05/18/2011 20:58:58.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.1132 [GMT -4:00]
Running from: c:\users\student\Desktop\zzz.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Search Settings
c:\program files\Search Settings\kb128\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\users\student\AppData\Roaming\Adobe\plugs
c:\users\student\AppData\Roaming\Adobe\plugs\mmc18594289.txt
c:\users\student\AppData\Roaming\Adobe\shed
c:\users\student\AppData\Roaming\Adobe\shed\thr1.chm
c:\users\student\AppData\Roaming\Desktopicon
c:\users\student\AppData\Roaming\Desktopicon\config.ini
c:\windows\4c37c6c9-799f-450e-861c-bd98e86455f4.ocx
c:\windows\system32\6ae89554-7039-4bf7-901e-6221195a9a0d.dll
c:\windows\system32\regobj.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-19 to 2011-05-19 )))))))))))))))))))))))))))))))
.
.
2011-05-19 01:07 . 2011-05-19 01:07 -------- d-----w- c:\users\student\AppData\Local\temp
2011-05-19 01:07 . 2011-05-19 01:07 -------- d-----w- c:\users\Edgar\AppData\Local\temp
2011-05-19 01:07 . 2011-05-19 01:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-14 16:29 . 2011-05-14 16:29 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-05-14 16:22 . 2011-05-14 16:22 -------- d-----w- C:\log
2011-05-14 16:21 . 2011-05-14 12:35 2486352 ----a-w- C:\RootkitBuster.exe
2011-05-14 12:42 . 2011-05-14 12:42 56400 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-05-14 12:34 . 2011-05-14 12:34 -------- d-----w- c:\users\Edgar\AppData\Local\WinZip
2011-05-14 12:16 . 2011-05-14 12:16 -------- d--h--w- c:\programdata\Common Files
2011-05-14 04:26 . 2011-05-14 04:26 -------- d-----w- c:\program files\millie
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-09 22:32 . 2011-04-09 22:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-10 17:03 . 2011-04-14 12:45 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-14 12:45 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42 . 2011-04-14 12:45 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 13:25 . 2011-04-14 12:45 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-14 12:45 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 13:24 . 2011-04-14 12:45 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24 . 2011-04-14 12:45 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23 . 2011-04-14 12:45 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23 . 2011-04-14 12:45 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-02-22 06:21 . 2011-04-14 12:45 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 06:17 . 2011-04-14 12:45 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 06:16 . 2011-04-14 12:45 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 06:16 . 2011-04-14 12:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-02-22 06:16 . 2011-04-14 12:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-02-22 05:20 . 2011-04-14 12:45 385024 ----a-w- c:\windows\system32\html.iec
2011-02-22 04:43 . 2011-04-14 12:45 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-02-22 04:42 . 2011-04-14 12:45 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-18 14:03 . 2011-04-14 12:45 305152 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-18 14:03 . 2011-04-14 12:45 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-18 14:03 . 2011-04-14 12:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-29 15:30 . 2011-03-24 03:43 142296 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\millie\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-04-16 01:54 178712 ---ha-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-06-25 23:06 150040 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-06-25 23:06 145944 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRO Landscape Dashboard]
2006-12-13 13:38 3596288 ---ha-w- c:\program files\Drafix\PRO Landscape\PRO Landscape Dashboard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-04-08 23:14 6037504 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
2010-04-10 03:35 79872 ---ha-w- c:\users\student\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-21 02:15 1826816 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2008-06-02 21:26 505720 ---ha-w- c:\program files\Toshiba\SmoothView\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ---ha-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-12-07 02:12 1029416 ---ha-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:33 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9ecac58f9bc77;Servicio de actualización de Google (gupdate1c9ecac58f9bc77);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-14 133104]
R3 4D27206C;4D27206C;c:\windows\system32\4D27206C.exe [x]
R3 easytether;easytether;c:\windows\system32\DRIVERS\easytthr.sys [x]
R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-14 133104]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-29 20384]
S1 MpKsld1bbcd70;MpKsld1bbcd70;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CCD984BB-FDAF-4329-BB9E-86B232ADB1E8}\MpKsld1bbcd70.sys [x]
S1 MpKsldec56f62;MpKsldec56f62;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CCD984BB-FDAF-4329-BB9E-86B232ADB1E8}\MpKsldec56f62.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 PhoneMyPC_Helper;PhoneMyPC_Helper;c:\program files\SoftwareForMe Inc\PhoneMyPC\PhoneMyPC_Helper.exe [2011-05-12 31232]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - MpNWMon
*Deregistered* - NisDrv
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-14 04:55]
.
2011-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-14 04:55]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page =
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
FF - ProfilePath - c:\users\student\AppData\Roaming\Mozilla\Firefox\Profiles\szdxtx2e.default\
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-cfFncEnabler - cfFncEnabler.exe
MSConfigStartUp-jswtrayutil - c:\program files\Jumpstart\jswtrayutil.exe
MSConfigStartUp-MSC - c:\program files\Microsoft Security Client\msseces.exe
MSConfigStartUp-MSSE - c:\program files\Microsoft Security Essentials\msseces.exe
MSConfigStartUp-NDSTray - NDSTray.exe
MSConfigStartUp-SearchSettings - c:\program files\Search Settings\SearchSettings.exe
MSConfigStartUp-vKLuVrOIsaEYCN - c:\programdata\vKLuVrOIsaEYCN.exe
MSConfigStartUp-yonXQoADpl - c:\programdata\yonXQoADpl.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-18 21:07
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\student\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-05-18 21:11:58
ComboFix-quarantined-files.txt 2011-05-19 01:11
.
Pre-Run: 176,553,328,640 bytes free
Post-Run: 175,929,393,152 bytes free
.
- - End Of File - - B2A653E07E6BA965A10EAB13C170FDB6
chanchita
Active Member
 
Posts: 14
Joined: May 14th, 2011, 12:39 pm

Re: Rootkit infection - can't remove with Malware Bytes, Kas

Unread postby askey127 » May 18th, 2011, 10:20 pm

OK.
Good.
Install Microsoft Security Essentials immediately, have it update itself.
After you complete that, tell me how the machine is running for you.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Rootkit infection - can't remove with Malware Bytes, Kas

Unread postby chanchita » May 18th, 2011, 10:38 pm

ok. I will in the morning. Is that catchme.dll bad?
chanchita
Active Member
 
Posts: 14
Joined: May 14th, 2011, 12:39 pm

Re: Rootkit infection - can't remove with Malware Bytes, Kas

Unread postby askey127 » May 19th, 2011, 6:15 am

NO.
It's part of the code used by ComboFix to detect rootkit infections.
It is not harmful.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Rootkit infection - can't remove with Malware Bytes, Kas

Unread postby chanchita » May 19th, 2011, 12:43 pm

Wow! It looks great! I'm just gonna have Hubby(It's his pc) double-check to see if he notices anything wierd, but it looks great to me. I installed AVG with no problem. Thanks so much Askey127. You really helped us a lot.

chanchita
chanchita
Active Member
 
Posts: 14
Joined: May 14th, 2011, 12:39 pm

Re: Rootkit infection - can't remove with Malware Bytes, Kas

Unread postby askey127 » May 19th, 2011, 1:50 pm

chanchita,
You're welcome!
I will leave this thread open until late tomorrow.
Let me know if anything else crops up.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Rootkit infection - can't remove with Malware Bytes, Kas

Unread postby chanchita » May 19th, 2011, 7:48 pm

Hi Askey127,
Hubby is checking his PC, and he says that when he clicks START > All Programs > a list of program folders appears, but upon clicking each yellow folder, for example, Microsoft Office, there appears '(empty)' underneath the folder. I navigated to the program files folder on C:\ and it looks like all the programs are there and installed. Could the virus have removed all the program shortcuts from the start menu?

Thanks,

Jennifer
chanchita
Active Member
 
Posts: 14
Joined: May 14th, 2011, 12:39 pm

Re: Rootkit infection - can't remove with Malware Bytes, Kas

Unread postby askey127 » May 20th, 2011, 6:58 am

chanchita,
Sometimes recent infections will hide numerous files and folders on your machine.
See if this will correct the problem:
-------------------------------------------------------
Download and Run Unhide
New tool to fix files that were made hidden by the HDD Defrag rogues.
This program unhide.exe will attrib -h all files located on the computer's fixed disks.
Please note that this will unhide even those that are purposely hidden.
Will not touch files that are system files and meant to be hidden by Windows.

http://download.bleepingcomputer.com/grinler/unhide.exe
Save to your desktop and double click to run it.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Rootkit infection - can't remove with Malware Bytes, Kas

Unread postby chanchita » May 20th, 2011, 8:15 pm

Ok, thanks Askey127! I will try and and get back to you.
chanchita
Active Member
 
Posts: 14
Joined: May 14th, 2011, 12:39 pm

Re: Rootkit infection - can't remove with Malware Bytes, Kas

Unread postby askey127 » May 23rd, 2011, 7:53 pm

this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 305 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware