Definitely Infected... some type of rootkit I guess.

[BluRoze]

Hi. I have followed the steps in the "so i'm infected, now what?" thread, as well as some other things I've read around the Internet, and nothing has worked. Malwarebytes software detected a rootkit on my PC, which I thought I had removed, my computer is still acting strangely.

Here's what it's doing:

An instance of svchost.exe keeps opening in task manager and slowlying increasing in RAM usage, no matter how many times I terminate the process.

Internet Explorer opens up with no tabs, even if I set it to show tabs in the window for tabbed browsing (this has never happened before).

"there are no active mixer devices available" when I double click my volume control button. I can't change the volume on my PC at all now.

Menu bar in IE will suddenly turn black for not reason and the task bar will go back to the classic windows style suddenly for no reason.

Attached are the two files mentioned in the "so I'm infected, now what?" thread. I really hope one of you can help me out here. I'm afraid to pay any bills on my PC until I get this infection off! :S

attach.txt

dds.txt

[MrCharlie]

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[BluRoze]

Thank you so much for the fast reply!

First of all, every time I tried Scanning with RogueKiller with "MBR Scan" checked, the program would get to "Reading MBR", then after a few seconds, my computer would restart. It did that every single time, and I tried about 5 times. Each time it restarted, obviously the scan did not complete, so I don't have any reports for those tries.

I finally unchecked "MBR Scan" and the scan completed. I've attached the report that showed up on my desktop.

RKreport1.txt

[MrCharlie]

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[BluRoze]

Thanks again! I've done as you said and attached the file.

TDSSKiller.2.7.48.0_02.08.2012_19.52.11_log.txt

[MrCharlie]

Run TDSSKiller again and delete just this one:

19:54:29.0531 3216 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

19:54:29.0531 3216 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

Then............

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[BluRoze]

Done. It went without a hitch, I think. I've attached the file.

log.txt

[BluRoze]

My apologies. I attached the wrong file in my previous reply. The correct one is attached here.

ComboFix.txt

[MrCharlie]

Looks Good.....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[BluRoze]

Thank you! Thank you!!

My PC is running fine, now. All its previous "sickness" symptoms are gone.

In your last reply, what did you mean by "Make sure that everything is checked, and click Remove Selected." ?

I've run the quick scan and attached the report. MBAM didn't find anything for me to remove, so I'm not sure what you meant.

mbam-log-2012-08-02 (21-13-08)2.txt

[MrCharlie]

Great You're all set!

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.