Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Potential Rootkit remnants, hijacked IExplorer.

  • This topic is locked This topic is locked
1 reply to this topic

#1 MadMrE


  • Members
  • 14 posts
  • Local time:12:06 PM

Posted 07 November 2009 - 07:33 PM


I have recently spent the last couple months or so attempting to clean up a large infection that has been plaguing my computer for some time.

I use Spyware Doctor as a form of detection system as even though I have the trail version it still has the ability to discover and inform me of a variety of infections that would be present on my computer and cannot be detected with more common freeware. Recently, it has discovered a rather nasty Rootkit.TDSS infection that was hiding within my System 32 folder, as well as a few other backdoors, trojans and general rouge spyware agents. Naturally, I proceeded to neutralize as many infections as I could on my own before coming for help.

Probably a bad decision, but I became a tad brave with it after a successful exposure and removal of the majority of the files under the Rootkit using a variety of do it yourself anti malware systems. I started with MBAM, did a little do it yourself registry cleaning with Spyware Doctor as my guide, and eventually downloaded a file known as the Ultimate Boot CD in order to finally remove the rootkit. So far, while I could not boot the computer using the CD (Setup.REG always becomes corrupt during the burning process and ends up as a file with a zero KB size, hopefully not sabotage.), I was able to double click it under C:\ and gain access to the thorough library of anti malware tools packaged with it. One of which managed to discover a small part of the rootkit and eliminate it, allowing the other files to expose themselves for regular deletion. However, I cannot clean the rootkit from the Registry, and even after removing it I'm still receiving a variety of issues that definitely hint at a deeper infection.

Recently, my IExplorer has become hijacked, for one. Randomly while using Opera or Firefox, I will receive a sort of hidden prompt or window change that will cancel out my typing and presence on the current browser, and in using Task Manager to discover what has popped up; will discover that IExplore is active for no reason and constantly returning with each "End Process" I attempt. Generally sucking 60-100k of Mem usage in the process. And, that if allowed to remain around for a while... will eventually start playing random Voice Advertisements, ranging from regular ads you'd expect on T.V, to what sounds like someone talking over a microphone, to an -actual- RickRoll so to speak in the form of the "Never Gonna Give you Up." song.

Along with this, backdoors, trojans, and other severe threats I have removed using either regular Malware-Bytes Anti-Malware scan cleanups or my own actions with Spyware Doctor as my guide (Such as, cleverly I hope; renaming a random file to that of the malwares filename under the infected folder and then "Replacing" the hidden infection with it and renaming back to it's original form so as to delete hidden malware files.) are constantly regenerating no matter how many times I remove them, and under my C:\WINDOWS folder I'm getting a large amount of obviously suspicious sounding recently added files such as "7513dow9loadez143.exe" and "z571spam9ot755.dll". And, at random there will also be a sudden spike of memory usage within a single SVChost.exe that numbers in the 150k's and always slows my computer down. It apparently goes to the virus, as during a rather not well thought out moment of mine I ended it's process as well, to no real issue in the computer. Normally, closing those results in a shutdown prompt that restarts the computer, or requires cancellation with the shutdown -a command, however this never does bring up that prompt no matter how many times I remove it, and as stated it has no ill effect on any programs or connections over my computer that I know of.

Anyways, I have downloaded Hijackthis, MBAM, UBCD and all of the freeware packaged with it, and a few rootkit/rouge spyware fixes. I can provide a log for HijackThis if required, and already have downloaded Combofix though have yet to use it until a helper has diagnosed my issue and given me the all clear. I'm willing to download most anything else, however I may have issues since for some reason the computer hard drive space is constantly being filled up. I'm not sure if this is because of someone else, or a virus... but it may bring up issues if large files need to be created for any of these programs.

I have a good idea of a few infections I may still possess, however I figured I should post under here first so someone can aid me in diagnosing any other issues I may have before moving on to the fix forum with a definite idea of the issue.

Thank you for your time.

EDIT: Oh, and I'm using Windows XP with Service Pack 2.

Edited by MadMrE, 07 November 2009 - 10:42 PM.

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,490 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:01:06 PM

Posted 08 November 2009 - 06:11 PM

Hello ,please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete HJT log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users