Rootkits,trojans and adware :(

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.

Page 1 of 1

You cannot start a new topic
You cannot reply to this topic

Rootkits,trojans and adware :( recently formatted computer same probs as before

#1 svaningen

New Member

Group: Members
Posts: 5
Joined: 30-January 11

Posted 30 January 2011 - 04:06 PM

i got my computer formatted yesterday from a shop and as soon as i got it home i started to have problems. I kept getting redirections to fake antivirus sites and such, then i decided to do some scans and i think i got rid of most of the trojans and malware but this is where it gets fun :D
i did a rootkit scan with Avg and guess what i have 2 rootkits located in my C:\WINDOWS\system32\dla\tfsnifs.sys section. This doesnt make sense to me as i just got my computer reformatted and i shouldn't have any problems

Any advice to help with removal of these rootkits would much apprciated.

* info: i run windows xp

-svaningen

This post has been edited by Budapest: 30 January 2011 - 06:13 PM
Reason for edit: Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~BP

#2 svaningen

New Member

Group: Members
Posts: 5
Joined: 30-January 11

Posted 30 January 2011 - 04:39 PM

anyone have help or ideas??

#3 boopme

To Insanity and Beyond

Group: Global Moderator
Posts: 48,761
Joined: 10-September 04
Gender:Male
Location:NJ USA

Posted 30 January 2011 - 08:53 PM

Hello, well it sure appears thay they didn't wipe the drive and reinstall the OS.

So let's run a few tools and clean this out.

>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill

RKill

Grinler

Link 1

Link 2

Link 3

Link 4

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.

If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.

Download Link 1

Download Link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

Make sure the "Perform Quick Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
Close all open browsers before using, especially FireFox. <-Important!!!
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post logs and Let us know how the PC is running now.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook

#4 svaningen

New Member

Group: Members
Posts: 5
Joined: 30-January 11

Posted 31 January 2011 - 01:25 AM

Rkill:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/30/2011 at 19:30:47.
Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\runonce.exe
C:\WINDOWS\system32\verclsid.exe

Rkill completed on 01/30/2011 at 19:30:52.

Malwarebytes:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5643

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/30/2011 7:38:26 PM
mbam-log-2011-01-30 (19-38-26).txt

Scan type: Quick scan
Objects scanned: 131096
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
SUPER Antispyware:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/30/2011 at 10:04 PM

Application Version : 4.48.1000

Core Rules Database Version : 6304
Trace Rules Database Version: 4116

Scan type : Complete Scan
Total Scan Time : 02:05:44

Memory items scanned : 208
Memory threats detected : 0
Registry items scanned : 4727
Registry threats detected : 0
File items scanned : 29936
File threats detected : 49

Adware.Tracking Cookie
.lucidmedia.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.pro-market.net [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.doubleclick.net [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.bellcan.adbureau.net [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.r1-ads.ace.advertising.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.e-2dj6wjlokmdpkdp.stats.esomniture.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.yadro.ru [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
cdn.at.atwola.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.at.atwola.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.tacoda.at.atwola.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.tacoda.at.atwola.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.tacoda.at.atwola.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.tacoda.at.atwola.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.at.atwola.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.atwola.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.content.yieldmanager.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.content.yieldmanager.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.dmtracker.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.adbrite.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.adbrite.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.adbrite.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.adbrite.com [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]
.kaspersky.122.2o7.net [ C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\h1juzufq.default\cookies.sqlite ]

the rest had no results it seems the rootkits werent detected

This post has been edited by svaningen: 31 January 2011 - 01:26 AM

#5 boopme

To Insanity and Beyond

Group: Global Moderator
Posts: 48,761
Joined: 10-September 04
Gender:Male
Location:NJ USA

Posted 31 January 2011 - 09:50 AM

Please run this GMER rootkit scan,

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.