Jump to content

Was Infected With SecurityTool / Rootkit - Still Infected, Help

Recommended Posts

Hello there,

This is a follow up to my post on the generic forum (http://forums.malwarebytes.org/index.php?showtopic=60129) where i was instructed to read this topic:


And post here after i follow the instructions...

Here are the facts:

* Was infected at a moments notice with a loadfull of trojans, malware and rootkits. Names i found in the mbam log:

- Trojan.BHO.H, Trojan.DownLoader, Trojan.FakeAlert, Disabled.SecurityCenter, Trojan.Agent.Gen, Trojan.Dropper, Rootkit.Dropper, Malware.Packer.Gen, Rogue.SecurityTool

* All the above where cleaned and quarantined successfully

* Did all type of scans: quick, full, flash (logs attached)

* Right now i constantly get popup messages for "successfully blocked access to malicious ip" (log attached)

* I disabled my CD-ROM emulation software, DeFogger run successfully

* DDS run successfully

* GMER Rootkit Scanner opened, did a scan for a few seconds then crashed, no luck there...

How can i know if there is no rootkit left which is untraceable?



DDS (Ver_10-03-17.01) - NTFSx86

Run by babbos at 13:24:11,14 on


Link to post
Share on other sites

Hello ,

And :( My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.




Please download ComboFix from one of these locations:


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hello Elise,

I downloaded combofix and followed all your instructions.

At this point i see a blue DOS screen stating that the program is scanning for infected files and that should take about 10 minutes or more if i'm infected...

It has been well over an hour now that i see this screen, i have done absolutely nothing to disturb it.

Since combofix has no progress indicator i cannot tell if it has hung or is still working... c: has no logfile...

I had closed the two anti-~virus programs i had: mbam and spysweeper, but i can still see a 'SpySweeper.exe' process in the task list which i am not able to kill with any program...

I will wait a little more and then i am seriously concidering to format my pc and restore from a safe system backup i had luckily made before i got infected with Norton Ghost.

Thank you for your help, would love to hear your opinion on this

Link to post
Share on other sites

There were two processes, one was killed successfully the other one remains open with only 112K Mem usage named grep.cfxxe ...

The dos window remains, and there is no way to kill it.

I isssued a restart and computer rebooted ok...

I started Combofix again just to be sure and had it hang again... This time even the reboot/shutdown commands will not kill it so i had to hit the 'reset' switch...

Note that i see 'combofix' in the root of my C: drive, which when i click displays all the Drives of my computer (!)

I have some questions:

* How severe is my infection? Should i assume that my bank / any passwords are compromised? ( i had them stored in my browser)

* As a followup to the first question, is there any other way we can check which exactly was the culprit before i perform the format of C: ?

* I performed a scan with ESET which produced nothing significant. I am still confused as to what kind of software i need for protection... mbam will not protect me from viruses so i need an anti-virus software? Is this why it is suggested that i run the free Avira anti-virus software in the guidance post?

Thankyou for your time

Link to post
Share on other sites

Hi there,

Before giving you any information about how severe this infection was/is, I want to see it confirmed. I strongly suspect what it is, but before seeing the evidence I can't say for sure what the best course of action is.

Please follow these steps.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version of the tool.

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller. will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Nailed it!! (maybe?)

First of, because of the instructions you provided, i understood that it is important to run applications from desktop, so i checked the "GMER Rootkit Scanner", and it executed successfully! (log attached)

After that i run the "TDSS Rootkit Removing Tool" as per your instructions and it found the rootkit and cured it... (log attached)

... what now?

Should i proceed with the format / restore from my ghost restore point or am i 100% ok as it is?

Passwords compromised?

Thank you



Link to post
Share on other sites


Good news is that the rootkit is indeed gone, bad news is that it was a nasty one.



One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

If it is an option for you, using your backup to restore would be a good thing to do. However, you need to be sure your computer was not infected back then.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.