Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Rootkit infection: IRP hook

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Rootkit infection: IRP hook

Unread postby mambass » April 3rd, 2012, 4:22 pm

Hi DelvinNg, :)

You're doing a great job. :thumbup:

Please print these instructions because you will not have access to the Internet while performing some of the tasks below.

  1. Copy and paste commands
    1. Click Start > All Programs > Accessories > Command Prompt. A Command Prompt window will open.
    2. Copy the contents in the following box and then right-click in the Command Prompt window and select Paste from the popup menu. The Command Prompt window will close.
      • Do not include the word "Code:"
      Code: Select all
      echo @echo off >c:\MWRcopy.bat
      echo copy c:\windows\system32\drivers\hidclass.sys c:\hidclasscopy.sys >>c:\MWRcopy.bat
      echo copy c:\windows\system32\drivers\hidusb.sys c:\hidusbcopy.sys >>c:\MWRcopy.bat
      exit
      cls 
      

  2. Execute a batch file in the Windows Vista Recovery Environment

    1. Reboot (restart) your computer and repeatedly press the F8 key until the Advanced Options Menu appears.
    2. Select the Repair your computer option and press the Enter key.
    3. Select your language and/or keyboard layout and click the Next button.
    4. Type your password (if necessary) and click the OK button. The System Recovery Options window will be displayed as shown below:

      Image

    5. Click the Command Prompt option. A cmd.exe window will be displayed.
    6. Type C: and press the Enter key. The command prompt (the text left of the flashing cursor) will change to C:\>
    7. Type MWRcopy.bat and press the Enter key. The message "1 file(s) copied" should be displayed twice.
    8. Type exit and press the Enter key. The cmd.exe window will close and the System Recovery Options window will be visible.
    9. Click the Restart button and allow the system to reboot (restart) into Normal mode.

  3. Scan files using VirusTotal
    Perform the following steps for each of the following files, one at a time:
    Code: Select all
    C:\hidclasscopy.sys
    C:\hidusbcopy.sys
    

    1. Goto www.virustotal.com
    2. Click the Choose File button then navigate to and double-click on the file to be scanned.
    3. Click the Scan it! button. Your file will be uploaded and analyzed.
      • Note: If a message is displayed indicating that the file was already analyzed, click the Reanalyse button so that your copy of the file will be analyzed.
    4. Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
      Example of web address :
      Image

  4. Download & Run RogueKiller
    1. Please click here to download RogueKiller and save it to your Desktop.
    2. Quit all running programs.
    3. Right-click on the RogueKiller.exe icon and select Run As Administrator to run it.
    4. Wait until the Prescan has finished.
    5. Make sure that the MBR Scan box is checked (ticked) within the Options column on the right side of the window.
    6. Click the Scan button.
    7. Do not take any action on any reported items at this time.
    8. Click the Report button within the Options column on the right side of the window to display the report. (The report can also be found in file RKreport.txt on your Desktop)
    9. Copy the contents of the report and paste it into your reply.
    10. Close both the report window and the RogueKiller window.

  5. Run a custom scan with OTL
    1. Double-click the OTL icon on your Desktop to run the program.
    2. In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
      Code: Select all
      c:\hidclasscopy.sys /md5
      c:\hidusbcopy.sys /md5
      c:\autorun.inf
      c:\u3rom\*.* /s
      
    3. Click the None button.
    4. Click the Run Scan button at the top.
    5. A Notepad window will open when the scan completes.
    6. Copy the contents of that file and post it in your next reply. The log can also be found on you Desktop as OTL.txt.


Please include in your reply:
  1. The text of any error messages and/or a description of any problems you encountered while performing these steps.
  2. The permalink (web address) for the scan of file hidclasscopy.sys.
  3. The permalink (web address) for the scan of file hidusbcopy.sys.
  4. The contents of the RogueKiller report.
  5. The contents of the OTL.txt log.


mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am
Advertisement
Register to Remove

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 6th, 2012, 11:41 am

Hihi mambass,

Sorry yes u're right! I missed the 2nd page hehe..

I completed I. and encountered some issues when conducting II. At step 7, no message "1 file(s) copied" was displayed after I press Enter key. Instead, there is a message 'MWRcopy.bat' is not recognized as an internal or external command, operable program or batch file.

Not sure if I should still proceed with any of the remaining steps as I can see some should be dependent on II. Thanks alot.

Rdgs,
Delvin
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 6th, 2012, 11:42 am

To add on, I've tried II. for couple of times but still seeing same results.
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 6th, 2012, 11:52 am

The contents of the RogueKiller report (with II. and III. not successful yet):

RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/fi ... guekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Delvin [Admin rights]
Mode: Scan -- Date: 04/06/2012 23:48:48

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600BEVT-75ZCT2 +++++
--- User ---
[MBR] 0e06eff6fc0ca7027ca475497c2b6d97
[BSP] 69a577cfd462274758ec500c84e5c42e : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 94 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 194560 | Size: 10240 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21166080 | Size: 139730 Mo
3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 307335168 | Size: 2560 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 6th, 2012, 11:55 am

The contents of the OTL.txt log (with II. and III. not successful yet):

OTL logfile created on: 6/4/2012 11:53:46 PM - Run 4
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Users\Delvin\Desktop\Rootkit infection_IRP hook
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00004809 | Country: Singapore | Language: ENE | Date Format: d/M/yyyy

3.49 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 57.33% Memory free
7.17 Gb Paging File | 5.77 Gb Available in Paging File | 80.46% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.46 Gb Total Space | 74.19 Gb Free Space | 54.37% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.13 Gb Free Space | 51.27% Space Free | Partition Type: NTFS

Computer Name: DELVIN-PC | User Name: Delvin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< c:\hidclasscopy.sys /md5 >

< c:\hidusbcopy.sys /md5 >

< c:\autorun.inf >

< c:\u3rom\*.* /s >

< End of report >
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby mambass » April 6th, 2012, 4:21 pm

Hi DelvinNg, :)

DelvinNg wrote: I completed I. and encountered some issues when conducting II. At step 7, no message "1 file(s) copied" was displayed after I press Enter key. Instead, there is a message 'MWRcopy.bat' is not recognized as an internal or external command, operable program or batch file.
Task I feeds Task II which feeds Tasks III & V. It appears that our problem is either with Task I or Task II. Let's see if we can determine which one has the problem.

  1. While booted in Normal mode, look for file C:\MWRcopy.bat using Windows Explorer (which can be accessed by pressing the WindowsKey + E on many keyboards (WindowsKey is between Ctrl and Alt), otherwise Start > All Programs > Accessories > Windows Explorer).

    If the file is there then proceed to Step 2 below.

    If the file is not there then please perform Task I in my previous instructions and then look again.

    If the file is still not there then report back.

    If the file is now there then continue with Tasks II through V in my previous instructions.

  2. We know that file C:\MWRcopy.bat was there. Now let's see why it wasn't found.

    Get back into the Recovery Environment by performing steps 1 through 4 in Task II of my previous instructions. Look to see how the Operating system disk is designated in your display that looks similar to the image below.

    Image

    If the Operating system disk is not C: then click the Restart button, boot back into Normal mode and report back with the letter designation for the Operating system drive.

    If the Operating system disk is C: then perform steps 5 through 7 of Task II in my previous instructions.

    If the expected results are obtained then continue with the remaining instructions starting with Task II Step 8 in my previous post.

    If you're still getting the "… is not recognized …" message then, while at the C:\> prompt, type DIR and press the Enter key. Do you get a directory listing?

    If you do not get a directory listing then please tell me what appears.

    If you do get a directory listing then look for file MWRcopy.bat. Can you see that file? If not then report back with some of the names of the files that you do see.

    If you can see the file then try to execute the command
    Code: Select all
    @MWRcopy.bat
    Note: Typing "MWRcopy.bat" should do the same thing as typing "@MWRcopy.bat", but if you get to this point then I'm running out of options.

    If the expected results are obtained then continue with the remaining instructions starting with Task II Step 8 in my previous post. Otherwise report back with what you saw.

mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 7th, 2012, 6:35 am

Hihi mambass:)

I still cannot find C:\MWRcopy.bat after repeating Task I. I suppose I need to locate a bat file name called "MWRcopy.bat" or like right? Sorry just in case I misinterpreted. I did a search everywhere in my computer for "MWRcopy.bat" or "MWR" but no results.

Rdgs,
Delvin
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby mambass » April 7th, 2012, 9:25 am

Hi DelvinNg, :)

The problem was that I failed to have you open the Command Prompt window by right-clicking and selecting Run As Administrator. I've corrected that in the instructions below.

Please print these instructions because you will not have access to the Internet while performing some of the tasks below.

  1. Copy and paste commands
    1. Click Start > All Programs > Accessories then right-click on Command Prompt and select Run As Administrator. A Command Prompt window will open.
    2. Copy the contents in the following box and then right-click in the Command Prompt window and select Paste from the popup menu. The Command Prompt window will close.
      • Do not include the word "Code:"
      Code: Select all
      echo @echo off >c:\MWRcopy.bat
      echo copy c:\windows\system32\drivers\hidclass.sys c:\hidclasscopy.sys >>c:\MWRcopy.bat
      echo copy c:\windows\system32\drivers\hidusb.sys c:\hidusbcopy.sys >>c:\MWRcopy.bat
      exit
      cls 
      
    3. Just to be safe, verify that file C:\MWRcopy.bat now exists. :)

  2. Execute a batch file in the Windows Vista Recovery Environment

    1. Reboot (restart) your computer and repeatedly press the F8 key until the Advanced Options Menu appears.
    2. Select the Repair your computer option and press the Enter key.
    3. Select your language and/or keyboard layout and click the Next button.
    4. Type your password (if necessary) and click the OK button. The System Recovery Options window will be displayed as shown below:

      Image

    5. Click the Command Prompt option. A cmd.exe window will be displayed.
    6. Type C: and press the Enter key. The command prompt (the text left of the flashing cursor) will change to C:\>
    7. Type MWRcopy.bat and press the Enter key. The message "1 file(s) copied" should be displayed twice.
    8. Type exit and press the Enter key. The cmd.exe window will close and the System Recovery Options window will be visible.
    9. Click the Restart button and allow the system to reboot (restart) into Normal mode.

  3. Scan files using VirusTotal
    Perform the following steps for each of the following files, one at a time:
    Code: Select all
    C:\hidclasscopy.sys
    C:\hidusbcopy.sys
    

    1. Goto www.virustotal.com
    2. Click the Choose File button then navigate to and double-click on the file to be scanned.
    3. Click the Scan it! button. Your file will be uploaded and analyzed.
      • Note: If a message is displayed indicating that the file was already analyzed, click the Reanalyse button so that your copy of the file will be analyzed.
    4. Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
      Example of web address :
      Image

  4. Download & Run RogueKiller
    1. Please click here to download RogueKiller and save it to your Desktop.
    2. Quit all running programs.
    3. Right-click on the RogueKiller.exe icon and select Run As Administrator to run it.
    4. Wait until the Prescan has finished.
    5. Make sure that the MBR Scan box is checked (ticked) within the Options column on the right side of the window.
    6. Click the Scan button.
    7. Do not take any action on any reported items at this time.
    8. Click the Report button within the Options column on the right side of the window to display the report. (The report can also be found in file RKreport.txt on your Desktop)
    9. Copy the contents of the report and paste it into your reply.
    10. Close both the report window and the RogueKiller window.

  5. Run a custom scan with OTL
    1. Double-click the OTL icon on your Desktop to run the program.
    2. In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
      Code: Select all
      c:\hidclasscopy.sys /md5
      c:\hidusbcopy.sys /md5
      c:\autorun.inf
      c:\u3rom\*.* /s
      
    3. Click the None button.
    4. Click the Run Scan button at the top.
    5. A Notepad window will open when the scan completes.
    6. Copy the contents of that file and post it in your next reply. The log can also be found on you Desktop as OTL.txt.


Please include in your reply:
  1. The text of any error messages and/or a description of any problems you encountered while performing these steps.
  2. The permalink (web address) for the scan of file hidclasscopy.sys.
  3. The permalink (web address) for the scan of file hidusbcopy.sys.
  4. The contents of the RogueKiller report.
  5. The contents of the OTL.txt log.


mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 7th, 2012, 10:17 am

2. The permalink (web address) for the scan of file hidclasscopy.sys:

https://www.virustotal.com/file/f688f8f ... 333807097/

3. The permalink (web address) for the scan of file hidusbcopy.sys:

https://www.virustotal.com/file/91ad075 ... 333807417/

5. The contents of the OTL.txt log:

OTL logfile created on: 7/4/2012 10:15:18 PM - Run 5
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Users\Delvin\Desktop\Rootkit infection_IRP hook
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00004809 | Country: Singapore | Language: ENE | Date Format: d/M/yyyy

3.49 Gb Total Physical Memory | 1.92 Gb Available Physical Memory | 54.97% Memory free
7.17 Gb Paging File | 5.60 Gb Available in Paging File | 78.07% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.46 Gb Total Space | 73.26 Gb Free Space | 53.69% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.13 Gb Free Space | 51.27% Space Free | Partition Type: NTFS

Computer Name: DELVIN-PC | User Name: Delvin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< c:\hidclasscopy.sys /md5 >
[2009/04/11 12:42:48 | 000,039,424 | ---- | M] (Microsoft Corporation) MD5=5961CADB7CAD938368D2028725EF771D -- c:\hidclasscopy.sys

< c:\hidusbcopy.sys /md5 >
[2009/04/11 12:42:48 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=CCA4B519B17E23A00B826C55716809CC -- c:\hidusbcopy.sys

< c:\autorun.inf >

< c:\u3rom\*.* /s >

< End of report >
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 7th, 2012, 10:37 am

4. The contents of the RogueKiller report:

I've done it again and checked. The results (pasted below) are same as the one I provided on Fri 06 Apr, 2012 11:52 pm.

RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/fi ... guekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Delvin [Admin rights]
Mode: Scan -- Date: 04/07/2012 22:23:27

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600BEVT-75ZCT2 +++++
--- User ---
[MBR] 0e06eff6fc0ca7027ca475497c2b6d97
[BSP] 69a577cfd462274758ec500c84e5c42e : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 94 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 194560 | Size: 10240 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21166080 | Size: 139730 Mo
3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 307335168 | Size: 2560 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby mambass » April 7th, 2012, 9:50 pm

Hi Delvin, :)

You currently have Coupon Printer for Windows installed. You may find the article here to be of value when deciding whether to retain this application. My recommendation is that you remove it unless you find it to be useful and are willing to accept the associated issues raised in the article. If you wish to remove it then please do so as a part of Task II below.

-----------------------------------

Re. AVG PC Tuneup 2011

I don't personally recommend the use of ANY registry cleaners. Here is an excerpt from a discussion on regcleaners
Most reg cleaners aren't bad as such, but they aren't perfect and even the best have been known to cause problems. The point we are trying to make is that the risk of using one far outweighs any benefit. If it does work perfectly you will not see any difference. If it doesn't work properly you may end up with an expensive doorstop.
I believe that you will find this post by Bill Castner to be very informative: WhatTheTech Forum

I have therefore included it in the programs to be uninstalled in Task II below.

-----------------------------------

Please print these instructions because you will not have access to the Internet while performing some of the tasks below.

  1. Create a System Restore Point
    1. Go to Start, right-click on Computer and select Properties.
    2. In the left pane under Tasks, click System protection.
    3. If UAC prompts for an administrator password or approval, type the password or give your "permission to continue".
    4. Select System Protection ...then choose Create.
    5. In the System Restore dialog box, type a description for the restore point (e.g., Start of malware removal process) and click Create again.
    6. A window should pop up with "The Restore Point was created successfully" message.
    7. Click OK and close the System Restore dialog.

      Note: If the message window was not displayed stating that the system restore point was created successfully then STOP - Do not continue with the steps below but rather reply to let me know what happened.

  2. Remove Programs Using Control Panel
    Take extra care in answering questions posed by any Uninstaller.

    1. Click Start > Control Panel and then double-click on Programs and Features.
    2. For each of the programs below, right-click the entry, choose Uninstall/Change, and give permission to Continue:

      4shared.com Toolbar
      Adobe Reader 9.5.0
      AVG PC Tuneup 2011
      Conduit Engine
      Coupon Printer for Windows (if you choose to remove this)
      Online Radio India Toolbar
      Zynga Toolbar

  3. Perform a Custom Fix with OTL
    1. Right-click the OTL icon on your Desktop and select Run As Administrator to run the program.
    2. In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
      Code: Select all
      :OTL
      SRV - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\msksrver.exe -- (MSK80Service)
      SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
      DRV - [2009/07/16 12:32:26 | 000,130,424 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\Mpfp.sys -- (MPFP)
      IE - HKLM\..\URLSearchHook: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files\4shared.com\prxtb4sha.dll (Conduit Ltd.)
      IE - HKLM\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
      IE - HKLM\..\URLSearchHook: {952d8189-ea25-431b-8ed6-7758dcc933d1} - C:\Program Files\Online_Radio_India\tbOnli.dll (Conduit Ltd.)
      IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2233703
      IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\URLSearchHook: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files\4shared.com\prxtb4sha.dll (Conduit Ltd.)
      IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2233703
      FF - HKLM\Software\MozillaPlugins\@ei.FilmFanatic.com/Plugin: C:\Program Files\FilmFanaticEI\Installr\1.bin\NPpaEISB.dll File not found
      O2 - BHO: (4shared.com Toolbar) - {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files\4shared.com\prxtb4sha.dll (Conduit Ltd.)
      O2 - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found.
      O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
      O2 - BHO: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
      O2 - BHO: (Online Radio India Toolbar) - {952d8189-ea25-431b-8ed6-7758dcc933d1} - C:\Program Files\Online_Radio_India\tbOnli.dll (Conduit Ltd.)
      O3 - HKLM\..\Toolbar: (4shared.com Toolbar) - {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files\4shared.com\prxtb4sha.dll (Conduit Ltd.)
      O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
      O3 - HKLM\..\Toolbar: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
      O3 - HKLM\..\Toolbar: (Online Radio India Toolbar) - {952d8189-ea25-431b-8ed6-7758dcc933d1} - C:\Program Files\Online_Radio_India\tbOnli.dll (Conduit Ltd.)
      O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
      O3 - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\Toolbar\WebBrowser: (Zynga Toolbar) - {7B13EC3E-999A-4B70-B9CB-2617B8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
      O3 - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\Toolbar\WebBrowser: (Online Radio India Toolbar) - {952D8189-EA25-431B-8ED6-7758DCC933D1} - C:\Program Files\Online_Radio_India\tbOnli.dll (Conduit Ltd.)
      O4 - HKLM..\Run: [] File not found
      O33 - MountPoints2\{c7993c90-d9b0-11df-868f-001fe2de3da9}\Shell\AutoRun\command - "" = F:\U3ROM/system.exe
      O33 - MountPoints2\{c7993c90-d9b0-11df-868f-001fe2de3da9}\Shell\explore\command - "" = F:\U3ROM/system.exe
      O33 - MountPoints2\{c7993c90-d9b0-11df-868f-001fe2de3da9}\Shell\open\command - "" = F:\U3ROM/system.exe
      [7 C:\Users\Delvin\Desktop\*.tmp files -> C:\Users\Delvin\Desktop\*.tmp -> ]
      [2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
      [2 C:\Users\Delvin\Documents\*.tmp files -> C:\Users\Delvin\Documents\*.tmp -> ]
      @Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:0B4227B4
      
      :Files
      C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
      C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
      C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
      C:\Users\Delvin\AppData\Roaming\ParetoLogic
      C:\Users\Delvin\AppData\Roaming\DriverCure
      C:\ProgramData\ParetoLogic
      C:\Program Files\McAfee
      C:\Program Files\4shared.com
      C:\Program Files\Zynga
      C:\Program Files\Online_Radio_India
      C:\Program Files\FilmFanaticEI
      C:\Program Files\ConduitEngine
      
      :Commands
      [PURITY]
      [EMPTYTEMP]
      [CREATERESTOREPOINT]
      
      
    3. Close all running applications other than OTL.
    4. Click the Run Fix button at the top.
    5. Let the program run unhindered and reboot the PC when it is done.
    6. When the computer Reboots, and you start your usual account, a Notepad text file will appear.
    7. Copy the contents of that file and post it in your next reply. The log can also be found, based on the date/time it was created, as C:\_OTL\MovedFiles\MMDDYYYY_HHMMSS.log.

  4. Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
    All versions numbered lower than 10.1.2 are vulnerable.
    1. Click here to download the AdbeRdr1012_en_US.exe installer and save it to your desktop.
    2. Right-click the installer and select Run As Administrator to install the latest version of Adobe Reader.
    3. After the new Reader is installed, Open Adobe Reader X, as it is called, and OK the license.
    4. Click on Edit and select Preferences.
    5. On the Left, click on the Javascript category and Uncheck Enable Acrobat Javascript.
    6. Click on the Security (Enhanced) category and Uncheck Automatically trust sites from my Win OS security zones.
    7. Click on the Trust Manager category and Uncheck Allow opening of non-PDF file attachments with external applications.
    8. Click the OK button
    9. When it finishes, you can remove the Installer from your desktop.

  5. Run a Scan with OTL
    1. Right-click the OTL icon on your Desktop and select Run As Administrator to run the program.
    2. Check the boxes labeled :
      • Scan All Users
      • LOP check
      • Purity check
      • Extra Registry > Use SafeList <-- Be sure to select this option
    3. Make sure all other windows are closed so that it can run uninterrupted.
    4. Click on the Run Scan button at the top left hand corner. Do not change any settings unless otherwise told to do so. The scan won't take long.
    5. When the scan completes, it will open two notepad windows. OTL.Txt will be displayed and Extras.Txt will be minimized. These are saved in the same location as OTL. (desktop)
    6. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them as a reply. Use separate replies if more convenient.

  6. Question about Firefox version installed
    I noticed that you have Firefox 3.6.12 installed. Is there a reason that you have stayed with that version and have not yet upgraded to a newer version?


Please include in your reply:
  1. The text of any error messages and/or a description of any problems you encountered while performing these steps.
  2. The contents of the OTL Fix log.
  3. The contents of the OTL.txt and Extras.txt logs.
  4. The answer to the question concerning Firefox 3.6.12.


mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 8th, 2012, 11:02 am

Hihi mambass, :)

III. Perform a Custom Fix with OTL

When the OTL program seems to be completed, I tried to close it but it is not responding. I chose the option to wait for it to respond, but I still faced the same problem. Thus, I forced close the program. And then I restarted my comp.

No Notepad text file appeared.

No log file found either. Just found a folder named "04082012_223756" at C:\_OTL\MovedFiles. I found a LogFile.txt at C:\_OTL\MovedFiles\04082012_223756\C_Users\Delvin\AppData\Roaming\DriverCure folder though. Details pasted below:

Backend construcor called.
Backend Initiallized.
Backend clear function called.
Backend destructor called.

Should I redo III. Perform a Custom Fix with OTL? Thanks!

Rdgs,
Delvin
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby mambass » April 8th, 2012, 11:21 am

Hi Delvin, :)

Try the OTL Fix in Task III again. If it still hangs then reboot and move on to Task IV and mention in your reply that it hung again.

mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 8th, 2012, 11:59 am

Hihi mambass, thanks for prompt help;)

I tried OTL Fix in Task III again and below Windows error message appeared (not exact words though):
OTL has stopped working.
A problem has caused the program to stop working properly. Windows will close this program and notify you if a solution to the problem is available.

I've completed Task IV just now. Do I proceed with Task V now?

4. Question about Firefox version installed
I noticed that you have Firefox 3.6.12 installed. Is there a reason that you have stayed with that version and have not yet upgraded to a newer version?
No particular reason except probably b'coz I seldom use Firefox unless I got issues with IE then will use Firefox. Should I search for an upgrade and install it now?

Rdgs,
Delvin
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby mambass » April 8th, 2012, 12:10 pm

Hi Delvin, :)

Delvin wrote:No particular reason except probably b'coz I seldom use Firefox unless I got issues with IE then will use Firefox. Should I search for an upgrade and install it now?
I asked because some people stayed on version 3.6.x intentionally. I just wanted to know so that I could provide the appropriate instructions later. There's no need to do anything about it right now.


Delvin wrote:I've completed Task IV just now. Do I proceed with Task V now?
Yes, please do that now.


mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 36 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware