Rootkit :(

1. Important Notice: A new version of SUPERAntiSpyware is available.

• Please uninstall your current version (this is necessary).
• Then download this SUPERAntiSpyware
• Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
• After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new full scan of your system. And attach this log later.

2. Please go to Jotti's malware scan

(If more than one file needs scanned they must be done separately and logs posted for each one)

• Copy the file path in the below Code box:
  
  Code:

  C:\WINDOWS\system32\krl32mainweq.dll

• At the upload site, click once inside the window next to Browse.
• Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
• Next click Submit file
• Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Important: Wait for all of the scanning engines to complete.
• Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

3. Now download The Avenger by Swandog469, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

4. Also delete all files in the below bold folder except ones from the current date (Windows will not let you delete the files from the current day).

• C:\Documents and Settings\Owner\Local Settings\temp

5. Now run the below:

Running GMER to detect rootkits



6.

• Now go to TDSSKiller and Download TDSSKiller.zip to your Desktop
• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive called "TDSSKiller.txt" please attach this log to your next reply.

7. Now go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.

8. Now run the new MGTools.exe and attach the C:\Mglogs.zip that it generates, let me know the results from jotti and also attach logs from SAS, GMER avenger and TDSSKiller into your next reply.

Thanks
Kes13!

 

Good evening. Combofix is back up and running so let's give that a run now, when it asks you to install the recovery console please do so:

Download Combofix

This link here gives clear instructions on how to run it.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

Thanks
Kes13!

 

WLSngS.exe >>> relates to:
Linksys WMP110 RangePlus Wireless PCI Adapter

MOM.exe
Do you mean MDM.exe?

jqs.exe >>> relates to:
Java Quick Starter
purpose:
improves the initial startup time of Java applets and applications



1. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Driver::
H8SRTd
H8SRTd.sys
yfofd
 
File::           
C:\WINDOWS\system32\drivers\H8SRTilmxmnaowm.sys
C:\WINDOWS\system32\H8SRTnvnioetact.dll
C:\WINDOWS\system32\H8SRTd.sys
C:\WINDOWS\system32\H8SRTvppyafrkql.dat
C:\WINDOWS\system32\H8SRTitairnerdo.dll
C:\WINDOWS\system32\H8SRTnvnioetact.dll
C:\WINDOWS\system32\H8SRTvppyafrkql.dat
C:\WINDOWS\system32\drivers\H8SRTd.sys
c:\windows\system32\drivers\rsoopnz.sys

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

2. Now run GMER again as it was GMER that detected the rootkit:

Running GMER to detect rootkits


3. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix. and GMER.

Thanks
Kes13!

 

No! In user's case the below is running which is just from the ATI Grahpics Card:
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

 

Thanks Chas.

 

To the bext of my knowledge and from what I can see your logs are clean.

Any remaining issues about BSOD's ATI Cards or problems with avg will have to be resolved in the software forum. You can always remove avg and load another anti virus onto your machine, but I would first run the avg removal tool before doing so, again, this is not subject for the malware forum.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're very welcome! safe surfing