Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan.rookit/gen

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Trojan.rookit/gen

Unread postby Patryn38 » May 1st, 2010, 11:39 am

Here is the requested Log.

ComboFix 10-04-30.03 - Brian 05/01/2010 11:27:05.3.4 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3326.2223 [GMT -4:00]
Running from: c:\users\Brian\Desktop\Combo-Fix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Brian\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Antimalware Doctor

.
((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))
.

2010-05-01 15:31 . 2010-05-01 15:31 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-01 15:31 . 2010-05-01 15:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-30 00:41 . 2010-04-30 00:41 62976 ----a-w- c:\users\Brian\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-04-29 18:58 . 2010-05-01 15:31 -------- d-----w- c:\users\Brian\AppData\Local\temp
2010-04-28 17:50 . 2010-04-28 17:50 -------- d-----w- C:\Gmer
2010-04-28 17:45 . 2010-04-28 17:45 -------- d-----w- C:\rsit
2010-04-28 17:23 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-28 17:23 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-28 17:23 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-28 17:23 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-28 17:23 . 2010-04-14 16:31 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-28 17:23 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-28 17:23 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-28 17:23 . 2010-04-28 17:23 -------- d-----w- c:\programdata\Alwil Software
2010-04-28 17:23 . 2010-04-28 17:23 -------- d-----w- c:\program files\Alwil Software
2010-04-24 19:35 . 2010-04-24 19:35 -------- d-----w- c:\program files\Trend Micro
2010-04-21 22:02 . 2010-04-21 22:02 125952 ----a-w- c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
2010-04-21 22:02 . 2010-04-22 00:16 3347488 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-21 21:59 . 2010-04-22 00:15 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-04-21 21:58 . 2010-04-22 00:15 -------- d-----w- c:\programdata\ParetoLogic
2010-04-21 21:58 . 2010-04-21 21:58 -------- d-----w- c:\users\Brian\AppData\Local\Downloaded Installations
2010-04-21 02:54 . 2010-04-21 02:54 52224 ----a-w- c:\users\Brian\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-21 02:54 . 2010-04-30 00:41 117760 ----a-w- c:\users\Brian\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-21 02:53 . 2010-04-21 02:53 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-21 02:53 . 2010-04-21 02:53 65024 ----a-r- c:\users\Brian\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2010-04-21 02:53 . 2010-04-21 02:53 5120 ----a-r- c:\users\Brian\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2010-04-21 02:53 . 2010-04-21 02:53 18944 ----a-r- c:\users\Brian\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2010-04-21 02:53 . 2010-04-30 00:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-21 02:53 . 2010-04-21 02:53 -------- d-----w- c:\users\Brian\AppData\Roaming\SUPERAntiSpyware.com
2010-04-21 02:27 . 2010-04-21 02:28 -------- d-----w- c:\program files\NVIDIA Corporation
2010-04-21 01:16 . 2010-04-21 01:16 148 ----a-w- c:\windows\system32\565488.BAT
2010-04-21 01:02 . 2010-04-21 01:02 120 ----a-w- c:\users\Brian\AppData\Local\Qzojayew.dat
2010-04-21 01:02 . 2010-04-21 01:02 0 ----a-w- c:\users\Brian\AppData\Local\Ddepazalebinurif.bin
2010-04-21 01:01 . 2010-04-21 01:01 148 ----a-w- c:\windows\system32\16349513.BAT
2010-04-21 01:00 . 2010-04-21 01:00 70656 --sha-r- c:\windows\system32\msvcrte.dll
2010-04-15 00:40 . 2010-04-15 01:11 -------- d-----w- c:\users\Brian\AppData\Roaming\Apple Computer
2010-04-15 00:40 . 2010-04-15 00:40 -------- d-----w- c:\users\Brian\AppData\Local\Apple Computer
2010-04-15 00:40 . 2010-04-15 00:40 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-15 00:40 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-04-15 00:40 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-04-15 00:39 . 2010-04-15 00:39 -------- d-----w- c:\program files\iPod
2010-04-15 00:39 . 2010-04-15 00:40 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-15 00:39 . 2010-04-29 18:57 -------- d-----w- c:\program files\iTunes
2010-04-15 00:38 . 2010-04-29 18:57 -------- d-----w- c:\program files\QuickTime
2010-04-15 00:38 . 2010-04-15 00:39 -------- d-----w- c:\programdata\Apple Computer
2010-04-15 00:38 . 2010-04-15 00:38 -------- d-----w- c:\users\Brian\AppData\Local\Apple
2010-04-15 00:38 . 2010-04-15 00:38 -------- d-----w- c:\program files\Apple Software Update
2010-04-15 00:37 . 2010-04-15 00:37 -------- d-----w- c:\program files\Bonjour
2010-04-15 00:37 . 2010-04-15 00:39 -------- d-----w- c:\program files\Common Files\Apple
2010-04-15 00:37 . 2010-04-15 00:37 -------- d-----w- c:\programdata\Apple
2010-04-13 18:54 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-13 18:54 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-13 18:54 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-13 18:54 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-13 18:54 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-13 18:54 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-13 18:54 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-13 18:54 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-13 18:54 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-13 18:54 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 18:54 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-06 15:35 . 2010-04-06 15:36 -------- d-----w- c:\users\Brian\AppData\Local\Adobe
2010-04-06 15:33 . 2010-04-06 15:33 -------- d-----w- c:\program files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 14:29 . 2010-04-21 02:28 34901 ----a-w- c:\programdata\nvModes.dat
2010-04-29 19:10 . 2009-04-23 23:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 19:09 . 2009-06-21 14:16 6153648 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-29 18:57 . 2009-04-28 21:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 18:57 . 2009-01-18 16:56 -------- d-----w- c:\program files\RivaTuner v2.09
2010-04-29 16:19 . 2009-04-23 23:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 16:19 . 2009-04-23 23:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 20:50 . 2009-01-18 20:18 34360 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-04-24 19:26 . 2009-04-28 21:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-22 00:16 . 2010-04-21 22:02 46952 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-21 02:53 . 2009-01-17 20:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-21 02:36 . 2009-01-17 20:35 -------- d-----w- c:\programdata\NVIDIA
2010-04-19 20:49 . 2010-04-19 20:49 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-04-13 23:26 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-31 23:04 . 2009-01-20 04:15 196608 ----a-w- c:\users\Brian\AppData\Roaming\Acreon\WowMatrix\Libraries\wmweb.dll
2010-03-31 23:04 . 2009-01-20 04:15 258048 ----a-w- c:\users\Brian\AppData\Roaming\Acreon\WowMatrix\Libraries\wmzip.dll
2010-03-26 05:48 . 2010-03-26 05:48 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-16 06:15 . 2010-03-16 06:15 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-03-16 06:15 . 2010-03-16 06:15 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-03-16 06:15 . 2010-03-16 06:15 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-03-16 06:14 . 2010-03-16 06:14 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-03-16 06:14 . 2010-03-16 06:14 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-04 17:50 . 2010-03-04 17:50 261152 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2010-02-24 22:53 . 2009-01-17 19:54 49168 ----a-w- c:\users\Brian\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 14:16 . 2009-10-02 19:36 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-30 21:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-30 21:28 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-30 21:28 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-30 21:28 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-11 22:19 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 22:19 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 22:19 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-12 15:46 . 2010-02-12 15:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-03 16:24 . 2010-02-03 16:24 94208 ----a-w- c:\windows\system32\RTNUninst32.dll
2007-06-25 20:43 . 2006-11-22 14:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2010-04-29_03.36.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-17 19:56 . 2010-05-01 14:31 44012 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:03 . 2010-05-01 14:31 70688 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-01-17 19:56 . 2010-05-01 14:31 10212 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2159073726-709688122-2792182354-1000_UserData.bin
+ 2006-11-02 13:00 . 2010-05-01 14:29 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:00 . 2010-04-29 03:36 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:00 . 2010-04-29 03:36 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:00 . 2010-05-01 14:29 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:00 . 2010-04-29 03:36 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 13:00 . 2010-05-01 14:29 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-04-29 03:29 . 2010-04-29 03:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-05-01 14:29 . 2010-05-01 14:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-05-01 14:29 . 2010-05-01 14:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-04-29 03:29 . 2010-04-29 03:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 12:46 . 2010-02-24 22:53 228176 c:\windows\System32\FNTCACHE.DAT
+ 2006-11-02 12:46 . 2010-04-29 19:00 228176 c:\windows\System32\FNTCACHE.DAT
+ 2006-11-02 10:22 . 2010-04-29 18:58 6549504 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2010-04-29 18:58 . 2010-04-29 18:58 6549504 c:\windows\ERDNT\subs\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-30 2020592]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-17 1164912]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-17 1941784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-21 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d3,67,c3,7a,9a,33,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2159073726-709688122-2792182354-1000]
"EnableNotificationsRef"=dword:00000001

R2 aswFsBlk;aswFsBlk;aswFsBlk.sys [x]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-01-18 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-01-18 79360]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2008-10-08 171032]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2008-10-08 1324056]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2008-10-08 72728]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-04-30 61440]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-04-14 51792]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2008-10-08 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2008-10-08 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2008-10-08 72728]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-12 01:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 18:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\fdnk086e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/defaulta.aspx
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-01 11:31
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(744)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'Explorer.exe'(4088)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2010-05-01 11:32:42
ComboFix-quarantined-files.txt 2010-05-01 15:32
ComboFix2.txt 2010-04-29 19:04
ComboFix3.txt 2010-04-29 03:37

Pre-Run: 218,879,557,632 bytes free
Post-Run: 218,849,972,224 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,4,5
- - End Of File - - AA52FF825592988B3029EC1994891F29
Patryn38
Regular Member
 
Posts: 26
Joined: April 24th, 2010, 3:28 pm
Advertisement
Register to Remove

Re: Trojan.rookit/gen

Unread postby xixo_12 » May 1st, 2010, 12:10 pm

Hi,
Let's proceed.

First,
DeFogger - Disable
Please download from HERE and save to the desktop.
  • Right click on DeFogger.exe > Run as Administrator to run it.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next,
Analyze file(s).
Please visit Jotti.
Click on browse > copy below link (one by one) and paste on the File name box > Click Open:
c:\users\Brian\AppData\Local\Qzojayew.dat
c:\users\Brian\AppData\Local\Ddepazalebinurif.bin

  • Press Submit file - this will submit the file for testing.
  • Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
Example of web address :
Image

Next,
Boot to Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a keyboard error message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe Mode.
  • Login on your usual account.

Next,
SystemLook by jpshortstuff.
Please download from one of the links below and save it to the Desktop.
Download Mirror #1
Download Mirror #2

  • Right click on SystemLook.exe > Run as Administrator to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :contents
    c:\windows\system32\565488.BAT
    c:\windows\system32\16349513.BAT
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Next,
Reboot into the usual account.

Next,
Checklist.
Please post.
  • Web links = 2
  • Content of SystemLook.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Trojan.rookit/gen

Unread postby Patryn38 » May 1st, 2010, 7:26 pm

Ok. Here is how the lastest series of instructions went.

DeFogger ran fine.

Jotti only returned one Link:

http://virusscan.jotti.org/en/scanresul ... adf4316992
c:\users\Brian\AppData\Local\Ddepazalebinurif.bin - Status: File is empty (0 bytes)!


Next I booted into Safe Mode. I had no problem doing so. Unfortunately, jpshortstuff gave me the same error as before. "A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available."
Patryn38
Regular Member
 
Posts: 26
Joined: April 24th, 2010, 3:28 pm

Re: Trojan.rookit/gen

Unread postby xixo_12 » May 1st, 2010, 8:08 pm

Hi,

Please let me know, do you ever try running RSIT and GMER scan in safe mode?
If no, please have both run and provide the logs.

Please use this instruction for RSIT and run GMER using previous instruction. Make sure both run in safe mode only, :)
RSIT.
  • Copy the code as below by highlight > right click > copy:
    Code: Select all
    "%userprofile%\desktop\rsit.exe" /info
  • Click on Image > Run....
  • Paste the code into the box and click OK.
  • Click on Continue at the disclaimer screen.
  • Once it finishes, two logs will open.
    • log.txt will be opened maximized
    • info.txt will be opened minimized
  • Please post the contents of both logs in your next post.
***You can find manually the log at C:\rsit
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Trojan.rookit/gen

Unread postby Patryn38 » May 3rd, 2010, 7:54 pm

Hello. Sorry for the delay in getting back to this.

I booted into safe mode and attempted to run both those programs. I ran into the exact same errors while in safe mode as I did in normal boot.
Patryn38
Regular Member
 
Posts: 26
Joined: April 24th, 2010, 3:28 pm

Re: Trojan.rookit/gen

Unread postby xixo_12 » May 4th, 2010, 6:44 am

Hi,
We will try different approach for this one.
Looks like it's getting weird.

First,
F-Secure Blacklight by © F-Secure Corporation.
Please download from HERE and save to the desktop.
  • Open Notepad. Copy and paste the following into Notepad:
    C:\Users\Username\Desktop\fsbl.exe /expert
  • Save the NotePad file:
    • Click on File from the top menu bar.
    • Select Save As... "Filename" entry = fsblroot.bat. The "Save As Type" entry = All Files.
    • Click Save.
  • Right click on fsblroot.bat. Select Run As Administrator to run it.
    Command Prompt will open, followed by the Blacklight application screen.
  • Read the license agreement. Select "I accept the agreement" and then click Next.
  • Click on Scan.
  • Once the scan is done, close F-Secure Blacklight. Don't do anything with the results found!
  • A log file will be created on your C:\ drive...called "fsbl-yyyymmddhhmmss.log", where the yyyymmddhhmmss = date and time.
    Please post the contents of the fsbl-yyyymmddhhmmss.log, file in your next reply.

Next,
ATF by Atribune
Please download HERE and save to the desktop. Right click on ATF Cleaner.exe > Run as Administrator to open it.
Under Main choose:
    choose: Select All
    Click the Empty Selected button.
if you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program

Next,
Kaspersky Online AV Scan
Note: Internet Explorer should be used. Right click on the icon > Run as Administrator.
Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next.

Next,
Checklist.
Please post.
  • Content of fsbl-yyyymmddhhmmss.log
  • Content of kaspersky scan log
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Trojan.rookit/gen

Unread postby Patryn38 » May 5th, 2010, 4:43 am

Hello again.

I had more success with these instructions than I have with most of the others. :)

The only slight issue I had was with F-Secure. I followed your instructions, but when I ran the .bat file the command prompt appeared and disappeared very quickly and nothing else happened. The Blacklight app screen never appeared. I ran the program on its own and will post the results below.

Everything else ran and worked fine.


05/04/10 20:28:00 [Info]: BlackLight Engine 2.2.1092 initialized
05/04/10 20:28:00 [Info]: OS: 6.0 build 6002 (Service Pack 2)
05/04/10 20:28:00 [Note]: 7019 4
05/04/10 20:28:00 [Note]: 7005 0
05/04/10 20:28:13 [Note]: 7006 0
05/04/10 20:28:13 [Note]: 7027 0
05/04/10 20:28:13 [Note]: 7035 0
05/04/10 20:28:13 [Note]: 7026 0
05/04/10 20:28:13 [Note]: 7026 0
05/04/10 20:28:15 [Note]: FSRAW library version 1.7.1024
05/04/10 20:28:17 [Note]: 4015 71360
05/04/10 20:28:17 [Note]: 4027 71360 262144
05/04/10 20:28:17 [Note]: 4020 71352 196608
05/04/10 20:28:17 [Note]: 4018 71352 196608
05/04/10 20:28:23 [Note]: 4015 6645
05/04/10 20:28:23 [Note]: 4027 6645 262144
05/04/10 20:28:23 [Note]: 4020 6637 94502912
05/04/10 20:28:23 [Note]: 4018 6637 94502912
05/04/10 20:28:33 [Note]: 4015 32848
05/04/10 20:28:33 [Note]: 4027 32848 983040
05/04/10 20:28:33 [Note]: 4020 31506 983040
05/04/10 20:28:33 [Note]: 4018 31506 983040
05/04/10 20:34:56 [Note]: 7007 0


----------------------------------------------------------------------------------


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, May 5, 2010
Operating system: Microsoft Windows Vista Ultimate Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, May 04, 2010 21:19:52
Records in database: 4049719
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 137292
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 01:57:22


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\_stkak_.sys.zip Infected: Rootkit.Win32.Agent.bert 2

Selected area has been scanned.
Patryn38
Regular Member
 
Posts: 26
Joined: April 24th, 2010, 3:28 pm

Re: Trojan.rookit/gen

Unread postby xixo_12 » May 5th, 2010, 8:37 am

Hi,

First,
Discussion
Do you still face any problems?
Please describe. I try to gather some information on how to combat this one.

Next,
SysProt AntiRootkit© by swatkat
  • Please download from HERE by swatkat and save to the desktop.
  • Unzip it into a folder on your desktop and enter it, then right click on SysProt.exe > Run as Administrator to run it.
  • Go to the Log tab and check (tick) all items listed in the Write to log box.
  • Check Hidden Objects Only at the bottom of the window too.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear. Select Scan root drive only and click Start.
  • When completed, you will be prompted showing the location of SysProtLog.txt, which is the same folder SysProt.exe was extracted to.
  • Post the contents of the log in your reply.

Next,
Avenger2 by Swandog46
Please download from HERE, save to the desktop and unzip it.
Note: This programme must be run from an account with Administrator priviledges.
  • Open the Avenger folder and Right click on Avenger.exe > Run as Administrator.
  • Copy the text in the code box below and Paste it into the Input script here: box.
Code: Select all
Files to delete:
c:\windows\system32\drivers\stkak.sys


Note: the above code was created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system.

  • Ensure the following:
    • Scan for Rootkits is checked.
    • Automatically disable any rootkits found is Unchecked.
  • Press the Execute key.
  • Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
  • Post the log back here please. (it can also be found at C:\avenger.txt)

Next,
Checklist.
Please post.
  • Respond to our discussion
  • Content of SysProtLog.txt
  • Content of Avenger.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Trojan.rookit/gen

Unread postby Patryn38 » May 5th, 2010, 9:42 pm

I do not seem to be having any problems that I can name. I attempted to do some Google searches and they all came up without issues, and without redirecting me to other sites.

I downloaded and ran the programs as instructed. Both ran without issues.
The only thing I see as a possible problem is the infected file was not deleted by Avenger2. Is that because it's currently in a quarantine folder?


The logs as requested:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iaStorV.sys
Service Name: ---
Module Base: 8EE00000
Module End: 8EEA1000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_dumpfve.sys
Service Name: ---
Module Base: 95385000
Module End: 95396000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwTerminateProcess
Address: 9527B900
Driver Base: 95271000
Driver End: 95293000
Driver Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: BRIAN-PC.CABLE.RCN.COM:49960
Remote Address: 208.59.216.40:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: BRIAN-PC.CABLE.RCN.COM:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: BRIAN-PC:49168
Remote Address: LOCALHOST:49167
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: BRIAN-PC:49167
Remote Address: LOCALHOST:49168
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: BRIAN-PC:49165
Remote Address: LOCALHOST:49164
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: BRIAN-PC:49164
Remote Address: LOCALHOST:49165
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: BRIAN-PC:49157
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Program Files\iTunes\iTunesHelper.exe
State: ESTABLISHED

Local Address: BRIAN-PC:27015
Remote Address: LOCALHOST:49157
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
State: ESTABLISHED

Local Address: BRIAN-PC:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
State: LISTENING

Local Address: BRIAN-PC:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: BRIAN-PC:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\lsass.exe
State: LISTENING

Local Address: BRIAN-PC:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\services.exe
State: LISTENING

Local Address: BRIAN-PC:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: BRIAN-PC:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: BRIAN-PC:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\wininit.exe
State: LISTENING

Local Address: BRIAN-PC:5357
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: BRIAN-PC:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: BRIAN-PC:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: BRIAN-PC.CABLE.RCN.COM:56878
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: BRIAN-PC.CABLE.RCN.COM:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: BRIAN-PC.CABLE.RCN.COM:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: BRIAN-PC.CABLE.RCN.COM:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: BRIAN-PC.CABLE.RCN.COM:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: BRIAN-PC:56879
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: BRIAN-PC:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: BRIAN-PC:64253
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: BRIAN-PC:60073
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: BRIAN-PC:LLMNR
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: BRIAN-PC:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: BRIAN-PC:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: BRIAN-PC:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: BRIAN-PC:500
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: BRIAN-PC:123
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Windows\CSC\v2.0.6\namespace
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\pq
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\sm
Status: Access denied

Object: C:\Windows\CSC\v2.0.6\temp
Status: Access denied

Object: C:\Windows\CSC\v2.0.6
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Microsoft-Windows-Backup.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Access denied


--------------------------------------------------------------------


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "c:\windows\system32\drivers\stkak.sys" not found!
Deletion of file "c:\windows\system32\drivers\stkak.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
Patryn38
Regular Member
 
Posts: 26
Joined: April 24th, 2010, 3:28 pm

Re: Trojan.rookit/gen

Unread postby xixo_12 » May 6th, 2010, 7:48 am

Hi,
Looks clean.

Perhaps you can update and run again MBAM full scan. Let me see the result before I can make judgement. :)
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Trojan.rookit/gen

Unread postby Patryn38 » May 6th, 2010, 10:18 pm

My only question is what is the infection Kaspersky found on its scan?

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4073

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

5/6/2010 10:02:30 PM
mbam-log-2010-05-06 (22-02-30).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 233616
Time elapsed: 1 hour(s), 6 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Patryn38
Regular Member
 
Posts: 26
Joined: April 24th, 2010, 3:28 pm

Re: Trojan.rookit/gen

Unread postby xixo_12 » May 6th, 2010, 10:31 pm

Hi,

Looking good :)
Combofix quarantined that file. It's some bad file. So no need to worry about that. I will take care of it soon.

Any questions before I give last speech to you?
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Trojan.rookit/gen

Unread postby Patryn38 » May 6th, 2010, 11:05 pm

Is there a decent firewall that is recommended? I didn't like the way the anti-virus I tried was working (was just annoying to me) so I'm going to give another one a try here soon.

Other than that, thank you very much for all of the help. :)
Patryn38
Regular Member
 
Posts: 26
Joined: April 24th, 2010, 3:28 pm

Re: Trojan.rookit/gen

Unread postby xixo_12 » May 7th, 2010, 7:36 am

Good! :cheers:
Your system now is clean.
Let's do some cleaning and management.

Please note: Due to the restrictions on Vista, all tools should be started by Right-Click ---> Run As Administrator

First,
Uninstall Combofix
  • Click on Image > Run....
  • Now type in ComboFix /Uninstall into the and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
    Image

Next,
OTC by Old Timer.
  • Please download HERE and save it to the desktop.
  • Right click on OTC.exe > Run as an Administrator. Click on CleanUp!.
  • You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
  • It will restart your computer automatically. If it doesn't, please restart your computer manually.

Additional Information :

SpywareBlaster.
  • SpywareBlaster help your Internet Explorer more strong as it will help to block known malicious ActiveX
  • A tutorial on installing & using this product can be found HERE

Antivirus.
  • Antivirus help you to give the maximum protection for the system.
  • You are advice to have only ONE antivirus running on the system.
  • Please keep it update regurlarly.

Malwarebytes' Anti-Malware.

WinPatrol.
  • Unwanted things always occur behind your knowledge. Let's this software take the snapshot of it.
  • For more information and installation can be found HERE

Windows/Program Update.
Please make sure to have your Windows Automatic Update turn ON or you can do it manually.
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
  • Go to Start > All Programs > Windows Update
To update Office
  • Open up any Office program.
  • Go to Help > Check for Updates

You always can refer at both website to check either any updates are needed for your system.

Firewall

Firewalls protect against hackers and malicious intruders.

I would recommend to install a free firewall for personal use from one of these excellent vendors. Choice is yours:

Information.

Safe surfing! :)
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Trojan.rookit/gen

Unread postby Gary R » May 7th, 2010, 11:35 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 383 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware