Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit, help me!


  • Please log in to reply
7 replies to this topic

#1 Root_help_plz

Root_help_plz

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 15 June 2011 - 04:16 PM

I have a rootkit and i figured it out by running combofix, which i guess isn't a helpful tool in removing rootkits (obviously). Is there a process I can go through to clear it from my computer? Please Help!

Edited by hamluis, 17 June 2011 - 11:53 AM.
No logs, moved from MRL to AII, sent PM.


BC AdBot (Login to Remove)

 


#2 Root_help_plz

Root_help_plz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 15 June 2011 - 04:23 PM

Oh, by the way, these were on the log,

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3200822AS rev.3.01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17

it says that my user and kernel are ok.
this was the other one.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

it scanned for hidden files but found nothing

Edited by Root_help_plz, 15 June 2011 - 04:30 PM.


#3 Root_help_plz

Root_help_plz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 15 June 2011 - 04:27 PM

as far as problems are concerned- my computer is a little slower than normal, after rebooting my computer like 5 minutes later an infection message pops up saying that i have a rootkit, and in my task manager it says my CPU usage is 100%.

#4 Root_help_plz

Root_help_plz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 15 June 2011 - 04:28 PM

bah sorry, also my symantec is inoperable, but this was happening prior to the rootkit.

#5 Root_help_plz

Root_help_plz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 15 June 2011 - 05:06 PM

Okay, I just did some tweakin with my comp and i stalked my task manager until it hit after the reboot and once it started buzzin i knew the rootkit was starting to hit and i deleted the process that seemed to be a problem, svchost.exe. But, the message still came, and this time i was ready to write down the ip address, but there wasnt one this time, it was like i got rid of part of the virs or sumthin, so i dont know whats going on now. Also, in my processes tab under the CPU column of the task manager, they all say 0 except for System idle processes that i cant delete, which says 96-99. Now, randomly my computer gets real loud humming noises and then my CPU spikes like crazy, then i try to delete one of the processes that has a high CPU number in its row. I hope any of this information helps.

I just got the message pop up again, it says [SID:23621] Tidserv Activity System infected.

Edited by Root_help_plz, 15 June 2011 - 05:22 PM.


#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:34 PM

Posted 17 June 2011 - 11:54 AM

Hello,

Let's try this.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

~Blade


In your next reply, please include the following:
TDSSKiller Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 Root_help_plz

Root_help_plz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 19 June 2011 - 10:47 AM

Thanks, but I just reinstalled windows and wiped the system. My computer needed a fresh start anyway. Thanks for the help!

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:34 PM

Posted 19 June 2011 - 05:07 PM

Glad to hear that everything is resolved.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users