Jump to content

Help please, urgent, rootkit virus has taken over pc, can only run in 'safe' mode


Recommended Posts

Help please, a rootkit virus has taken over my computer. I have been working with people at CNET website to remove all malware infections, but the rootkit virus could not be removed and now it has got worse. I cannot run any programs on my computer in normal mode. I could run HijackThis in safe mode, I have attached the log of the scan below. Is there anyone that can help with this? Thanks!

StartupList report, 13/03/2009, 22:26:14

StartupList version: 1.52.2

Started from : C:\Documents and Settings\User1\Desktop\HiJackThis.EXE

Detected: Windows XP SP3 (WinNT 5.01.2600)

Detected: Internet Explorer v7.00 (7.00.6000.16791)

* Using default options

==================================================

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\User1\Desktop\HiJackThis.bat

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe

--------------------------------------------------

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Ptipbmf = rundll32.exe ptipbmf.dll,SetWriteCacheMode

CTHelper = CTHELPER.EXE

AudioDrvEmulator = "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

MSConfig = C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe

SCRNSAVE.EXE=*Registry value not found*

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*

HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

(no name) - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

(no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045}

NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD}

(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

(no name) - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Ad-Aware Update (Weekly).job

AppleSoftwareUpdate.job

Norton AntiVirus - Run Full System Scan - User1.job

Norton AntiVirus - Run Norton QuickScan - User1.job

Norton SystemWorks One Button Checkup.job

Symantec Drmc.job

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[ewidoOnlineScan Control]

InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLL

CODEBASE = http://downloads.ewido.net/ewidoOnlineScan.cab

[installation Support]

InProcServer32 = C:\Program Files\Yahoo!\Common\Yinsthelper.dll

CODEBASE = C:\Program Files\Yahoo!\Common\Yinsthelper.dll

[symantec Script Runner Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlsr.dll

CODEBASE = https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

[Windows Live Safety Center Base Module]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\wlscBase.dll

CODEBASE = http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

[symantec RuFSI Utility Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll

CODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

[system Requirements Lab Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\sysreqlab2.dll

CODEBASE = http://www.systemrequirementslab.com/sysreqlab2.cab

OSD = C:\WINDOWS\Downloaded Program Files\SysReqLab2.osd

[{71057C18-0507-4747-86BC-E11CE7512C5F}]

CODEBASE = https://register.btinternet.com/templates/b...lcontrol013.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]

CODEBASE = http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash10a.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[webhelper Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\btwebcontrol.dll

CODEBASE = https://register.btinternet.com/templates/b...bcontrol028.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\system32\webcheck.dll

SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------

End of report, 6,389 bytes

Report generated in 0.047 seconds

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.