suspected rootkits and/or trojans

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by gaskibba, Nov 2, 2010.

  1. gaskibba

    gaskibba Private E-2

    Had some problems last week and the read and run didn't get them all. I couldn't get RootRepeal or MGTools to run. I continued to the alt' cleaning and started Panda Scan 2.0. It ran for about two hours and then hung up. Then it kicked into a reboot loop. I had to go buy a old style wired keyboard as I couldn't use the wireless one to make any selections at boot. After putting it on I found that I couldn't get it to boot to windows using any of the selections. After playing with the Recovery console I was finally able to get it started again.
    I'll attach my 1st logs from last week and also the new ones, they're pretty clean,. The machine still has a problem as when I tryed to run RootRepeal again today. I ended up having to force a restart using last known good configuration. Any help appreciated.
    Thanks
    Gerard
    PS: will put The Malwarebytes logs in next reply
     

    Attached Files:

    Last edited: Nov 2, 2010
    gaskibba, Nov 2, 2010
    #1
  2. gaskibba

    gaskibba Private E-2

    Here're the MalwareBytes log files.

    Thanks for any assistance.
    Gerard
     

    Attached Files:

    Last edited: Nov 2, 2010
    gaskibba, Nov 2, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your Combo log indicates that you do have C:\MGLogs.zip. Please attach that.
     
    TimW, Nov 3, 2010
    #3
  4. gaskibba

    gaskibba Private E-2

    MGLogs.zip attached
     

    Attached Files:

    gaskibba, Nov 3, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not finding any malware in your logs. Just because RootRepeal doesn't run is not an indication of malware as it fails on about 50% of all systems.

    We can clean up some left over junk, but it is not malware:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now tell me what malware issues you are having, if any.
     
    TimW, Nov 4, 2010
    #5
  6. gaskibba

    gaskibba Private E-2

    Thanks Tim, Thanks for your response. I've done what you requested. I'm haven't been having any problems show today. I'll just have to wait and see.
    Thanks again,
    Gerard
    PS: Should I remove any of the cleaning tools.
     
    gaskibba, Nov 4, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Here is the cleanup instructions. You may wish to wait for a day or two to make sure you are not having any issues.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Support MajorGeeks with Geek Wear!
     
    TimW, Nov 4, 2010
    #7
  8. gaskibba

    gaskibba Private E-2

    Did the stuff indicated in your post. Then tried to do a safe boot so I could check some stuff from the Administrator logon. Could not get a safe boot. Tried last known good configuration after I couldn't get the start normally to work. Then selected for no auto restart and got the BSOD. the Technical Information:
    ***STOP: 0x0000007E (0xc0000005, 0xf7640211, )xF78D6718, 0xF78D6414)

    *** WDFLDR.SYS - Address F7640211 base at F7637000, DateStamp 4a5bbf1d

    Please indicate what I should try now. I do have the Windows Recovery Console as an option. I also have not toggled the system restore. So I should have several restore points if I can remember how to get at them through the recovery console. It's getting late so I will have to leave off on this till tomorrow.

    Gerard:(
     
    gaskibba, Nov 5, 2010
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Instructions on how to use the Recovery Console to boot to a restore point are HERE.

    If you have problems doing this, please post in the software forum for additional assistance. But be aware that you may be restoring to a point that is infected, so you will need to re-run all the tools to check for infections.
     
    TimW, Nov 5, 2010
    #9
  10. gaskibba

    gaskibba Private E-2

    Back in service again. I still seemed to have some problem that may have been related to having MSSE. Si I've uninstalled that and ran the cleaning tools again. Root reveal didn't work. When I started it, it just sat on the screen saying initializing. After an hour or so, I found that the system was locked on that screen. I had to force a reboot to get started again. Attached are the logs from the other tools.
    Thanks,
    Gerard
     

    Attached Files:

    gaskibba, Nov 6, 2010
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. However, I see you have many corrupt user accounts. I suggest that you post in the software forum as your issues are not caused by malware..

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Support MajorGeeks with Geek Wear!
     
    TimW, Nov 7, 2010
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds