Josh88 Posted December 14, 2009 ID:170704 Share Posted December 14, 2009 Hello, I believe I have recently caught a nasty rootkit on my computer. When I first got it, whatever it was it instantly disabled my windows firewall and McAfee virus scan, and I can no longer get these things to re-activate. I do have the full version of Spyware Doctor, and I've run several full scans with rootkits coming up on some of the infections list, but the scans are very inconsistent, because sometimes the scans just stop. I downloaded MBAM because I heard it is the best thing for this stuff, but there is absolutely no way I can open it. Whenever I try, it just says that MBAM has stopped working and Windows has to shut it down. I was just wondering what should be my next step, since I my knowledge of computers is very limited. I have Windows Vista on an HP Pavilion. Thanks in advance. Link to post Share on other sites More sharing options...
marktreg Posted December 14, 2009 ID:170706 Share Posted December 14, 2009 Hello and welcome to MalwarebytesPlease print this topic and follow these basic steps first before posting any logs.Our program, Malwarebytes' Anti-Malware can detect and remove most Malware with no further actions required for free.Please download Malwarebytes' Anti-Malware to your desktop.Double-click mbam-setup.exe and follow the prompts to install the program.At the end, be sure a checkmark is placed next to the following:Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware[*]Then click Finish.[*]If an update is found, it will download and install the latest version.[*]Once the program has loaded, select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad and if required the program will ask you to reboot to remove locked files.We hope our application has helped you eradicate this malicious Malware.If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection.Update your current Anti-Virus to the latest definitions and then perform a Full scan of your system.If you don't currently have Anti-Virus please download and install Avira AntiVir PersonalThen update to the latest definitions and perform a Full scan of your system.If you're still experiencing issues after running the above procedures then please follow the instructions below.Disable CD-ROM Emulation SoftwareDeFogger - DisablePlease download the following tool DeFogger to your desktop.Double click DeFogger to run the tool.The application window will appearClick the Disable button to disable your CD Emulation drivers.Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OKIMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.Do not re-enable these drivers until otherwise instructed.Download DDS and save it to your desktop from here or here or hereDisable any script blocker, and then double click dds.scr to run the tool.When done, DDS will open two (2) logsDDS.txtAttach.txt[*]Save both reports to your desktop.Download the following GMER Rootkit Scanner from hereDownload the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on RunIt may take a minute to load and become available.If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKEDSectionsIAT/EATDrives/Partition other than Systemdrive (typically only C:\ should be checked)Show All (don't miss this one)[*]Then click the Scan button & wait for it to finish.[*]Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.[*]Save it where you can easily find it, such as your desktop[*]**Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries[*]Click OK and quit the GMER program.Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.Copy/Paste the contents of 'DDS.txt' to be posted as text to your postThe other two logs ...* attach.txt* ark.txt... should be zipped/archived before attaching to the post[*]Please start a Newtopic here and post the most recent Malwarebytes' Anti-Malware log file and DDS/GMER log files.[*]The Malwarebytes' Anti-Malware log file is located in the Logs tab of the program.DeFogger - Re-Enable (only run when instructed to when your system is clean again)To re-enable your Emulation drivers, double click DeFogger to run the tool.The application window will appear Click the Re-enable button to re-enable your CD Emulation drivers. Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OKIMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.Your Emulation drivers are now re-enabled.Someone will analyze the logs and give you further instructions. Please DO NOT reply to another users post, create your own new post.Prompt responses to instructions and performing the required fixes as soon as possible is always best.During this scan and cleanup process you should not install any other software unless requested to do so.Please see item #12 below as to who can help you, please ignore posts from others not authorized and their post will be removed.Logs to reply with: MBAM and DDS/GMERNOTE: If Malwarebytes won't run or DDS/GMER won't run please still create a new post in the Malware Removal - HijackThis Logs forum and explain what happens.NOTE: Please DO NOT post back to your post within the first 48 hours. Replying to your own posts changes the post count and will often cause helpers to think that you're already being helped and thus they won't open and look at your post. If no one has replied within 48 hours then please go ahead and either reply to your post or send a private message to a Moderator and let them know that you're still needing assistance.As soon as someone is available they will assist you.If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.Troubleshooting TipsPlease review some of the following potential fixesMBAM will not install - Code 2 error, mbam.exe not foundWindows Police Pro - MBAM will not installSystemSecurity - MBAM won't runTotal-Security (FakeAlert) - MBAM won't runav360 (Fakealert) - MBAM won't runMBAM wont install or will not run.(CLB Rootkit-WinNT.Alureon) - TDSS/Seneka/GAOPDX/UAC/ovfst/kungsf/SKYNET/MSIVX/hjgrui/wzszxError Code 732 - Internet Explorer 8, Possible FixBasic procedures to prevent freezing in McAfee VirusScan EnterpriseBasic procedures to prevent freezing in Trend Internet SecurityFixes for common problems and Error CodesWindows Defender and/or UAC Notifications on StartupGroups authorized to help with HJT logs Link to post Share on other sites More sharing options...
mountaintree16 Posted December 14, 2009 ID:170707 Share Posted December 14, 2009 Josh,Just a question (and yes, follow what marketreg just posted to you). Is the UAC turned on on your machine? Link to post Share on other sites More sharing options...
Josh88 Posted December 16, 2009 Author ID:171445 Share Posted December 16, 2009 Hello, my computer was acting all sorts of crazy and it was a miracle but I got defogger to work. I do have UAC on, and I was finally able to scan with MBAM. Here is the log:Malwarebytes' Anti-Malware 1.42Database version: 3289Windows 6.0.6002 Service Pack 2Internet Explorer 7.0.6002.1800512/16/2009 12:57:21 PMmbam-log-2009-12-16 (12-57-21).txtScan type: Quick ScanObjects scanned: 104872Time elapsed: 11 minute(s), 26 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 3Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 1Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\egodktf.bsfl (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaRoverCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\h8srtd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:C:\Program Files\MediaRoverCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.Files Infected:C:\Users\Josh\AppData\Local\Temp\Installer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Program Files\MediaRoverCodec\install.ico (Trojan.FakeAlert) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
mountaintree16 Posted December 16, 2009 ID:171449 Share Posted December 16, 2009 Josh88,It's good that you have your UAC on.You need to post your log in the link I give below though, as malware removal is not worked on in the general forums.http://www.malwarebytes.org/forums/index.php?showforum=7Thank you Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now