Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PLEASE HELP IM DESPERATE


  • Please log in to reply
15 replies to this topic

#1 lalamuk1

lalamuk1

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westbrook CT
  • Local time:09:37 PM

Posted 01 January 2010 - 12:09 PM

well hi recently my sister went on a makeup howto websitw and got a very nasty rootkit on our comp. The rootkit is h8srt5736 well i tried to post on the virus topic and wouldn't let me. Please i need help someone please help me get rid of this virus or rootkit i ran GMER It found the rootit before but i dont know how to remove it please im helpless. It sometimes redirects me wehn i try to search on google i have no idea what to do. It disabled avira but i got it back by i ran GMER and i removed something i dont know how i clicked on something and got it back. i sometimes get alerts from avira about the same thing but its a diffrent virus each time Every single time i turn on my Comp i look at my process to end this NMaccess32.exe beacause i heard that it was a backdoor please help me please!

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:37 PM

Posted 01 January 2010 - 01:43 PM

Post the GMER log and also try these two scans

:flowers:

The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware Free version and save it to your desktop.

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.


alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
---------------------------
Be sure to re-enable your AV and malware scan tools if they were disabled

==========================

:thumbsup:
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 lalamuk1

lalamuk1
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westbrook CT
  • Local time:09:37 PM

Posted 01 January 2010 - 02:03 PM

kk ill do that and post the results tomarrow because my sister needs the computer today. Well i have a question, What is NMaccess32.exe? thnks! i will post the results tommarow im sorry if thats inconvient

#4 lalamuk1

lalamuk1
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westbrook CT
  • Local time:09:37 PM

Posted 01 January 2010 - 02:05 PM

also i have malwarebytes installed on my comp.. can i just update it then run it? or should i redownload it. Here is some additional information i have comodo firewall set to proactive my sister allowed the virus to infect the comp by hitting allow i dont know why. she musthave thought it was non-virus. also i have avira 9 free edition, combofix installed, unhack me installed, and S.A.S installed

#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:37 PM

Posted 01 January 2010 - 07:04 PM

Yes update mbam and run it
You can run a SAS too
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 lalamuk1

lalamuk1
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westbrook CT
  • Local time:09:37 PM

Posted 02 January 2010 - 12:02 PM

(This is the malwarebytes log.)
Malwarebytes' Anti-Malware 1.43
Database version: 3478
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

1/2/2010 11:56:09 AM
mbam-log-2010-01-02 (11-56-09).txt

Scan type: Quick Scan
Objects scanned: 33522
Time elapsed: 2 hour(s), 16 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\H8SRTrqrthhovvw.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

#7 lalamuk1

lalamuk1
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westbrook CT
  • Local time:09:37 PM

Posted 02 January 2010 - 12:04 PM

The Malwarebytes quick scan took incredibly long... i was up to 2 hours and aborted the scan and deleted what was selected. The scan was taking really long at the temporary internet files.... now im going to do root repeal..

#8 lalamuk1

lalamuk1
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westbrook CT
  • Local time:09:37 PM

Posted 02 January 2010 - 12:15 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/02 12:05
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3698000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79FC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: nvruf.sys
Image Path: nvruf.sys
Address: 0xF749C000 Size: 54016 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBAD70000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT

root repeal took unblevieable short maybe like 5 minutes i dont know why....

#9 lalamuk1

lalamuk1
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westbrook CT
  • Local time:09:37 PM

Posted 02 January 2010 - 12:45 PM

will this be a problem? my dad recently used his credit card on our comp with the rookit wil his identity be stolen?

#10 lalamuk1

lalamuk1
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westbrook CT
  • Local time:09:37 PM

Posted 02 January 2010 - 01:19 PM

Heres a new mbam log i was able to fix the reaspn why the scans were so long i ran cc cleaner and deleted all the temp files. =)
Malwarebytes' Anti-Malware 1.43
Database version: 3479
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

1/2/2010 1:10:34 PM
mbam-log-2010-01-02 (13-10-34).txt

Scan type: Quick Scan
Objects scanned: 139580
Time elapsed: 13 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTuxuojntlmp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTrvnewstuyp.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.

#11 lalamuk1

lalamuk1
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westbrook CT
  • Local time:09:37 PM

Posted 02 January 2010 - 01:55 PM

Sorry for the late reply

#12 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:37 PM

Posted 02 January 2010 - 06:56 PM

C:\WINDOWS\system32\H8SRTuxuojntlmp.dll (Rootkit.TDSS)
C:\WINDOWS\system32\H8SRTrvnewstuyp.dat (Rootkit.TDSS)


my dad recently used his credit card on our comp

I strongly urge you do not do that now

You need to submit a DDS / HJT log. Start at step 6

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

You will also be instructed to create a Root Repeal Log. Use the one you ran

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

The HJT team is very busy and it will take awhile to get to your post
Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#13 lalamuk1

lalamuk1
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westbrook CT
  • Local time:09:37 PM

Posted 02 January 2010 - 08:17 PM

Well I stopped getting browser redirections and etc........... Well i already had viruses in quarentine in Avira i know that they were in face viruses and want to remove them from my comp from avira's quarentine. Do i need to do a hjt log? i think my computer is fine and Malwarebytes Did and excellent job at removal..

Edited by lalamuk1, 02 January 2010 - 08:18 PM.


#14 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:37 PM

Posted 03 January 2010 - 07:55 PM

The decision is yours
I would not use the computer for confidential purposes such as banking until I was 100% positive
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#15 lalamuk1

lalamuk1
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westbrook CT
  • Local time:09:37 PM

Posted 04 January 2010 - 09:06 PM

how would i be 100% positive i would have to do a Hijack This log...... Give me Instructions how to find out 100% and I did a rootkit Search with my Avira Antivirus and it found nuthin at all. I stopped getting all Warnings from avira that a virus has been detected so i think i might be good.... YOU tell me ok?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users