Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

scan found rootkit autoChk.exe:BAK:$DATA

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: scan found rootkit autoChk.exe:BAK:$DATA

Unread postby melboy » November 4th, 2013, 1:21 pm

Hi

As I said, rootkit scans can produce false positives - Always ask for help in interpreting the logs before acting on them.

We'll run a couple of scans to be doubly sure, but everything looks okay.


OTL Script

We need to run an OTL Fix

  • Double-click OTL.exe to start the program.
  • Click select all in the code box below then Copy and Paste the code into the Image textbox.
    Code: Select all
    :commands
    [EMPTYTEMP]
    [CREATERESTOREPOINT]
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please allow it to do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.



Malwarebytes' Anti-Malware (MBAM)

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup-version.number.exe and follow the prompts to install the program.
  • At the end, Uncheck Enable the free trial Malwarebytes' Anti-Malware PRO
    (You can activate this when we've finished, if you wish)
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Select the Settings tab, then the Scanner Settings tab
  • For Action for Potentially Unwanted Programs (PUP), choose Show in results list and check for removal
  • Select to the Scanner tab, select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
  • C:\Users\<USERNAME>\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when the application is started.
.
Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



aswMBR

Download aswMBR and save it to your Desktop.

  • Right click aswMBR.exe & choose "Run as Administrator" to run it.
  • Click Yes to the prompt to download Avast! virus definitions.
    (Please be patient whilst the virus definitions download)
  • With the AVscan set to Quick Scan, click the Scan button.
    (Please be patient whilst your computer is scanned.)
  • When the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
  • Click OK
  • Two files will be created, aswMBR.txt & a file named MBR.dat
  • Save MBR.dat to to a form of removable media. (CD, DVD, USB flash drive etc) - This is a backup of your MBR. Do not delete this file.
  • NOTE: Do not click to fix anything at this stage!
  • Click EXIT.
  • Copy & Paste the contents of aswMBR.txt into your next reply.
.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Re: scan found rootkit autoChk.exe:BAK:$DATA

Unread postby onewerld » November 5th, 2013, 12:50 am

Hello Melboy: below are the logs of the OTL scan and the Malwarebyte scan. However, after downloading the virus definitions for the aswMBR scan and clicking on "scan" after about 10 seconds an error message appeared and almost immediately the computer shut down. On re boot, it came up in Safe Mode as the shutdown had not been done normally. I did therefore not attempt the aswMBR scan again. What would you like me to do now?

All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 2836 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest

User: GuestUser

User: Public

User: Wayne
->Temp folder emptied: 1512863 bytes
->Temporary Internet Files folder emptied: 29744210 bytes
->Java cache emptied: 31033218 bytes
->FireFox cache emptied: 79324778 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 540 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 10033152 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 223218 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 145.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.69.0 log created on 11042013_211610

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

and the Malwarebytes log:

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.05.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Wayne :: WAYNE-PC [administrator]

Protection: Disabled

11/04/13 10:35:29 PM
MBAM-log-2013-11-04 (23-12-39).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 236393
Time elapsed: 10 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CF190686-9E72-403C-B99D-682ABDB63C5B} (PUP.Optional.TopArcadeHits.A) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
onewerld
Regular Member
 
Posts: 16
Joined: October 25th, 2013, 11:38 am

Re: scan found rootkit autoChk.exe:BAK:$DATA

Unread postby melboy » November 5th, 2013, 9:24 am

Hi

Try aswMBR once more.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: scan found rootkit autoChk.exe:BAK:$DATA

Unread postby onewerld » November 5th, 2013, 2:13 pm

Thank you Melboy. I tried aswMBR again but the computer froze after about 5 minutes into the scan. I could not get a screen shot of the scan to that point as nothing would work including Cntrl-Alt-Delete. I had waited 1 hour in the hopes of it recovering but to no avail. I had to manually shut down and on re boot the same Windows error recovery screen came up in Safe Mode. Since no screen shot I copied down the last scan entry for what it is worth. It was "scanning:C:\windows\system32\ntdll.dll. (space) inition updates\{E4E" -------(the remainder I could not see).
onewerld
Regular Member
 
Posts: 16
Joined: October 25th, 2013, 11:38 am

Re: scan found rootkit autoChk.exe:BAK:$DATA

Unread postby melboy » November 5th, 2013, 2:16 pm

Hi

Run a disk check and see if aswMBR will run after that. If not, we'll try an alternative.

  • Click Start and type CMD in the start search box. When CMD is found, right click it and choose "Run as Administrator"
  • At the Command Prompt type the following:
  • CD C:\ and hit the Enter/Return key.
  • Now type in CHKDSK C: /R and hit the Enter/Return key (Note the space between C: and /R).
  • When prompted with:
    CHKDSK cannot run because the volume is in use by another process. Would you like to schedule this volume to be checked next time the system restarts (Y/N)
  • Hit the Y key then at the Command Prompt C:\ >
  • Type in EXIT and and hit the Enter/Return key.
  • Now Reboot (Restart) your computer.
Note: Upon Reboot (Restart) the CHKDSK (check-disk) will start and carry out any repairs required.

Note: Do not touch either the keyboard or Mouse, otherwise the Check-Disk will be canceled and you computer will continue to boot-up as normal.

Note: When CHKDSK has completed its scans, the machine will proceed to load and Boot to Windows.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: scan found rootkit autoChk.exe:BAK:$DATA

Unread postby onewerld » November 5th, 2013, 6:30 pm

I followed your instructions to the letter, but the checkdisk failed to work. It has never worked since I bought the computer in spite of re installing Windows at least twice. Finally Dell claimed that it was a software problem and not the computer and refused any more help, so I gave up as it continued to function for what I needed. I have tried various commands as suggested through forums but nothing helped. I cannot schedule a disk check either.
onewerld
Regular Member
 
Posts: 16
Joined: October 25th, 2013, 11:38 am

Re: scan found rootkit autoChk.exe:BAK:$DATA

Unread postby melboy » November 5th, 2013, 6:38 pm

Hi

Forget aswMBR then, we'll try something else.

Gmer

Download GMER Rootkit Scanner from here.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • It is very important you do not use your computer while GMER is running
  • Right click the randomly named GMER Image icon & choose "Run as Administrator"
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan
  • If you receive a warning about rootkit activity and are asked to fully scan your system click NO
  • Please check the Quick scan box
  • Please uncheck the following:
    • IAT/EAT
    • Show All <<< Important
    Image
  • Click Scan
  • If you see a rootkit warning window click OK
  • When the scan is finished, Save the results to your desktop as gmer.log
  • Click Copy then paste the results in your reply
  • Exit GMER and be sure to re-enable your Antivirus, Firewall and any other security programs you had disabled
Note:
  • If you encounter any problems, try running GMER in Safe Mode
  • If GMER crashes or keeps resulting in a Blue Screen of Death, uncheck Devices on the right side before scanning
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: scan found rootkit autoChk.exe:BAK:$DATA

Unread postby onewerld » November 5th, 2013, 8:30 pm

There was no problem running GMER but the computer entered "sleep" and there seemed to be 2 logs so I have copied both of them.
GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-11-05 19:08:18
Windows 6.0.6002 Service Pack 2
Running: new rootkit.exe; Driver: C:\Users\Wayne\AppData\Local\Temp\ugloqpog.sys


---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\Ecache\Parameters@LastBootPlanUserTime Tue, Nov 05 13, 06:32:01 PM????????????
Reg HKLM\SYSTEM\CurrentControlSet\Services\Ecache\Parameters@MemoryCacheSize 444873386
Reg HKLM\SYSTEM\CurrentControlSet\Services\Ecache\Parameters@LastBootPlanTime 0x7F 0xDA 0xCE 0x01 ...

---- EOF - GMER 2.1 ----
GMER 2.1.19163 - http://www.gmer.net
Rootkit quick scan 2013-11-05 19:09:52
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.01.0 232.89GB
Running: new rootkit.exe; Driver: C:\Users\Wayne\AppData\Local\Temp\ugloqpog.sys


---- Devices - GMER 2.1 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys
AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys

---- EOF - GMER 2.1 ----
onewerld
Regular Member
 
Posts: 16
Joined: October 25th, 2013, 11:38 am

Re: scan found rootkit autoChk.exe:BAK:$DATA

Unread postby onewerld » November 7th, 2013, 3:47 pm

Hello Melboy. I ran GMER again as directed and the log is below. However, it is not as long as the scan appeared when it was finished.

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-11-07 14:29:46
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.01.0 232.89GB
Running: 5xqpcfst.exe; Driver: C:\Users\Wayne\AppData\Local\Temp\ugloqpog.sys


---- Kernel code sections - GMER 2.1 ----

.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xADAB2300, 0x22020, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xADB03300, 0x1B7E, 0xE8000020]

---- Devices - GMER 2.1 ----

AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys

---- EOF - GMER 2.1 ----
onewerld
Regular Member
 
Posts: 16
Joined: October 25th, 2013, 11:38 am

Re: scan found rootkit autoChk.exe:BAK:$DATA

Unread postby melboy » November 7th, 2013, 5:51 pm

Hi


Your log now appears to be clean. Congratulations!

This is my general post for when your logs show no more signs of malware ;) - Please let me know if you still are having problems with your computer and what these problems are.


AdwCleaner

  • Double click AdwCleaner.exe to run it.
  • Click Uninstall.
  • Click Yes to the prompt.
    AdwCleaner will close and uninstall itself
Note: If AdwCleaner prompts you an update is available, click Cancel and continue to uninstall.


OTL by OldTimer

  • Double-click OTL.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself


Create a new, clean System Restore point

  1. Click on Start > Control Panel.
  2. Double click on System.
  3. On the left, click on the System Protection link.
  4. At the bottom right hand corner, click on the Create... button.
  5. Give this System Restore point a descriptive name and click on Create.
  6. You should receive a prompt that a System Restore point is created successfully. Click OK to confirm.
  7. Click OK again to close the System Protection window. Then close Control Panel.

Warning: Do not clear infected System Restore points before creating a new System Restore point first!

Please read the above to create a new System Restore point first, then clear out the infected System Restore points.


Clear infected System Restore points

  1. Click on Start > All Programs > Accessories > System Tools.
  2. Right click on Disk Cleanup and select Run As Administrator to run it. UAC will prompt. Allow it.
  3. Select your C drive and click OK.
  4. Select the More Options tab.
  5. Under System Restore and Shadow Copies, click on the Clean up... button.
  6. You will receive a prompt. Click on Delete to delete the old System Restore points.
  7. When done, click OK. You will receive another prompt. Click Delete Files to confirm.
  8. When done, Disk Cleanup will automatically close.


Protection Programs
Don't forget to re-enable any protection programs we may have disabled during your fix.

==================================================

General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.


Enable UAC

The User Account Control (UAC) helps protect your PC against malicious software.

http://windows.microsoft.com/en-US/wind ... nt-control

  1. Click on Start > Control Panel.
  2. In the search box, type uac, and then click Change User Account Control settings.
  3. Move the slider to choose when you want to be notified (I recommend at least the Default level).
  4. Click OK.

  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Manually check for Windows updates via Start > All Programs > Windows Update > In the left pane, click Check for updates, and then wait while Windows looks for the latest updates for your PC, or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.


    Recommended Programs

    I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.
  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • Malwarebytes' Anti-Malware
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. You can find a tutorial HERE. As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. The Full version can be used as an addition to an anti-virus & includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. It's IP Protection provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges. You can now trial the full versions features within the program. Click the Protection Tab to see.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.



Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Gary R & Wingman COMPUTER SECURITY - a short guide to staying safer online

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: scan found rootkit autoChk.exe:BAK:$DATA

Unread postby onewerld » November 9th, 2013, 11:39 pm

Thank you Melboy for all the help and the time involved. I was hoping that check disc would now work, but that was not to be. I have downloaded all your suggestions except for the Hosts File. I will have to study what you have written as at present it is confusing to me. I do appreciate the basic workings as explained initially but I bog down in further explanations. Thanks again!
onewerld
Regular Member
 
Posts: 16
Joined: October 25th, 2013, 11:38 am

Re: scan found rootkit autoChk.exe:BAK:$DATA

Unread postby melboy » November 13th, 2013, 1:56 pm

Hi

You may be able to get help with the check disk problem at either this forum's software support forum, or any of these recommended forums:
Geeks to Go!
WhattheTech
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: scan found rootkit autoChk.exe:BAK:$DATA

Unread postby NonSuch » November 13th, 2013, 4:56 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 130 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware