Rootkit issue, logs attached

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by calai, Nov 7, 2012.

  1. calai

    calai Private E-2

    Hello.

    My problems began on 11/2/12 when I tried to start up my computer. It would not boot up, and I tried booting into safe mode and that wouldn't work either. Finally, it gave me an option to do a system repair, which I did. The system repair took about nine hours to complete. When it completed, my computer was very slow and it restarted on its own. The following day, I tried to boot up my computer again, and it lingered a long time on the "windows starting" screen with a glowing windows logo. Then it went to a black screen with the white cursor symbol on it, and stayed there for about 10 minutes before allowing me to get onto my desktop.

    When I got to my desktop, I ran Avast, and it found 38 infected files that were labeled "rootkit." Avast removed them, but since then, I've gotten the blue screen of death twice, and my start up is very very slow, always lingering a long time on the "windows starting" mode. I also tried running the Malwarebyte's scan, but it always froze and would not complete.

    So today, I've done everything from the "READ & RUN ME FIRST" page and the "Removal/Cleaning Procedure" page. Attached are my logs (and I was able to run Malwarebyte's after changing its name like it said so in the "Read & Run me first" page, and I also took screenshots of the rootkit files that Avast detected and removed, and I uploaded them here:
    http://tinypic.com/r/35jjad3/6

    http://tinypic.com/r/ek0rc2/6

    Please help.

    Thank you.

    PS: I asked for help on another forum before visiting this one, and the person who helped me couldn't find anything and that my problems now could possibly just be due to hardware problems... I don't think that's the case since I'm still experiencing some very strange behavior. Today, when I booted up my computer, it didn't ask for my password even though a password is usually required to log onto my computer. Please help.
     

    Attached Files:

    Last edited: Nov 7, 2012
    calai, Nov 7, 2012
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can go ahead and rerun RogueKiller and have it fix these items under the "Files/Folders" tab:
    • [RUN][SUSP PATH] HKCU\[...]\Run : Google Update ("C:\Users\Clare\AppData\Local\Google\Update\GoogleUpdate.exe" /c) -> FOUND
      [RUN][SUSP PATH] HKUS\S-1-5-21-1683235390-313515724-745283322-1001[...]\Run : Google Update ("C:\Users\Clare\AppData\Local\Google\Update\GoogleUpdate.exe" /c) -> FOUND
      [TASK][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-1683235390-313515724-745283322-1001UA.job : C:\Users\Clare\AppData\Local\Google\Update\GoogleUpdate.exe -> FOUND
      [TASK][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-1683235390-313515724-745283322-1001Core.job : C:\Users\Clare\AppData\Local\Google\Update\GoogleUpdate.exe -> FOUND
      [TASK][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-1683235390-313515724-745283322-1001Core : C:\Users\Clare\AppData\Local\Google\Update\GoogleUpdate.exe /c -> FOUND
      [TASK][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-1683235390-313515724-745283322-1001UA : C:\Users\Clare\AppData\Local\Google\Update\GoogleUpdate.exe /ua /installsource scheduler -> FOUND
      [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
      [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
      [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
      [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
      [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
      [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)

    But other than that, your logs are clean. I am not finding any malware. I suggest that you post in the software forum for further assistance with your issues.

    ISince you are not having any malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. After doing the above, you should work thru the below link
    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, Nov 7, 2012
    #2
  3. calai

    calai Private E-2

    Hello.

    Thanks for your reply. The 2nd roguekiller log is attached.

    Do you think it's safe for me to use my computer now?

    Thanks.
     

    Attached Files:

    calai, Nov 7, 2012
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    All I can say is that you are free from malware. Any other lingering issues should be addressed in the software forum.

    And you are welcome. :)
     
    TimW, Nov 7, 2012
    #4
  5. calai

    calai Private E-2

    Timw, when I started up my computer this morning, I found my system folders had moved to my desktop. Is this something to worry about? I read online that it could be a virus causing this? Please help.
     
    calai, Nov 8, 2012
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).
    Then attach the below logs:
    * C:\MGlogs.zip
     
    TimW, Nov 8, 2012
    #6
  7. calai

    calai Private E-2

    Hi, here it is.

    Thanks.
     

    Attached Files:

    calai, Nov 8, 2012
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    There is no malware in your logs. Again, off you go to the software forum. ;)
     
    TimW, Nov 8, 2012
    #8
  9. calai

    calai Private E-2

    Okay.

    I posted in the software forum.

    Thanks!
     
    calai, Nov 8, 2012
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Good luck. :)
     
    TimW, Nov 9, 2012
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds