Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer.exe Rootkit Infection, Please help.


  • Please log in to reply
10 replies to this topic

#1 K12RiV

K12RiV

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 PM

Posted 11 March 2014 - 09:00 PM

i had to restart my desktop computer for an update but before that i would click on the explorer icon on the task bar to open my computer and stuff. but it failed to open and said it was infected with a virus so i decided to scan my computer and it found a rootkit on it. i tried to remove it and do anything but i couldnt and now my computer is useless... i cant access my desktop anymore since i get a blank screen with only my curser and i have access to task manager and ctrl-alt-delete the only way to get to my desktop it via Safe Mode or doing a system restore.... i would like to know how i can remove this menace...

 

 

if you need information ask me for it since im new to this 
:P

 

OS- Windows 7 (32-bit)

Antivirus-Avast Antivirus

I have tried Kaspersky TDSS killer but it found nothing.

If you need any logs or anything ask

 

I have seen other posts about similar things but most answers were tailored to the persons computer or something like that....

i apologise if the answer is on here i couldnt find it. :/


Edited by hamluis, 12 March 2014 - 11:24 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 OldPhil

OldPhil

    Doppleganger


  • Members
  • 4,084 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island New York
  • Local time:11:30 PM

Posted 11 March 2014 - 10:44 PM

You can try the rootr kit tool on the page below, just down loand and follow the prompts.

 

http://www.bleepingcomputer.com/download/search/?keyword=malwarebytes+root+kit


Honesty & Integrity Above All!


#3 K12RiV

K12RiV
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 PM

Posted 12 March 2014 - 06:08 PM

Well that method didnt work.... i install malwarebytes Rootkit edition and it didnt fine it at all while my AV does, the computer only works in safemode. i get no desktop in normal mode.

 

Thanks Anyway



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 PM

Posted 13 March 2014 - 12:36 PM

Let's try GMER

Running GMER on 32 and 64 bit Systems

--------------------

Please download GMER from one of the following locations and save it to your desktop:


Main Mirror which will download a randomly named file
Zipped Mirror - Unzip the file to its own folder such as C:\gmer
Disconnect from the Internet and close all running programs
Temporarily disable any real-time active protection
It is very important you do not use your computer while GMER is running
Double-click on the randomly named GMER gmericon_zps951fd5aa.jpg icon
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan
If you receive a warning about rootkit activity and are asked to fully scan your system click NO
Please check in the Quick scan box
Please uncheck the following:

IAT/EAT
Show All <<< Important

GMER2new_zpsdd936679.jpg
Click Scan
If you see a rootkit warning window click OK
When the scan is finished, Save the results to your desktop as gmer.log
Click Copy then paste the results in your reply
Exit GMER and be sure to re-enable your Antivirus, Firewall and any other security programs you had disabled

Note:


If you encounter any problems, try running GMER in Safe Mode
If GMER crashes or keeps resulting in a Blue Screen of Death, uncheck Devices on the right side before scanning
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Mooncookie78

Mooncookie78

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 14 March 2014 - 04:09 PM

Rootkits

#6 K12RiV

K12RiV
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 PM

Posted 15 March 2014 - 01:20 PM

i keep getting a timeout error when i paste annd try and post the log...


Edited by K12RiV, 15 March 2014 - 02:30 PM.


#7 K12RiV

K12RiV
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 PM

Posted 15 March 2014 - 09:19 PM

http://tny.cz/dc1f1eae





i had to upload it here so i could send a reply cause it wouldnt work directly

(if u have a better pastie service that would b great xd)



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 PM

Posted 16 March 2014 - 08:21 PM

Not there...
Let's see what Avasts rootkit tool shows

Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 K12RiV

K12RiV
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 PM

Posted 16 March 2014 - 10:19 PM

It seems to look like the rootkit is gone.... my AV doesn't find it but the desktop appears now... but just in case here is the log.

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software

Run date: 2014-03-16 21:57:43

-----------------------------

21:57:43.527    OS Version: Windows 6.1.7601 Service Pack 1

21:57:43.527    Number of processors: 1 586 0x5F03

21:57:43.531    ComputerName: KYLE-PC  UserName: Kyle

21:57:45.543    Initialize success

21:57:48.791    AVAST engine defs: 14031601

21:58:20.186    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000006f

21:58:20.190    Disk 0 Vendor: Hitachi_ GMBO Size: 152627MB BusType: 3

21:58:20.369    Disk 0 MBR read successfully

21:58:20.373    Disk 0 MBR scan

21:58:20.378    Disk 0 Windows 7 default MBR code

21:58:20.390    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS        10240 MB offset 2048

21:58:20.408    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS       142384 MB offset 20973568

21:58:20.420    Disk 0 scanning sectors +312577712

21:58:20.482    Disk 0 scanning C:\Windows\system32\drivers

21:58:34.868    Service scanning

21:59:59.074    Modules scanning

22:00:22.417    Disk 0 trace - called modules:

22:00:22.455    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor32.sys 

22:00:22.577    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86289aa0]

22:00:22.588    3 CLASSPNP.SYS[8ae0459e] -> nt!IofCallDriver -> [0x85c14ae0]

22:00:22.599    5 ACPI.sys[833ae3d4] -> nt!IofCallDriver -> \Device\0000006f[0x85bddc68]

22:00:23.267    AVAST engine scan C:\Windows

22:00:27.283    AVAST engine scan C:\Windows\system32

22:04:06.909    AVAST engine scan C:\Windows\system32\drivers

22:04:30.131    AVAST engine scan C:\Users\Kyle

22:17:24.671    AVAST engine scan C:\ProgramData

22:18:36.615    Scan finished successfully

22:19:03.638    Disk 0 MBR has been saved successfully to "C:\Users\Kyle\Desktop\MBR.dat"

22:19:03.657    The log file has been saved successfully to "C:\Users\Kyle\Desktop\aswMBR.txt"



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:30 PM

Posted 17 March 2014 - 10:19 AM

OK, good no signs of rootkit there..

Have a great day.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 K12RiV

K12RiV
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 PM

Posted 17 March 2014 - 10:27 AM

Okay thank you for your help :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users