Vista Partition Rookit

Discussion in 'Malware Help (A Specialist Will Reply)' started by Heyman7, Oct 30, 2013.

  1. Heyman7

    Heyman7 Private E-2

    Hello,

    The PC is running Vista but I believe a partition has been affected by a nasty rootkit. Toshiba does not use recovery disc and you can hit restore by using "0"; Before doing that, the bug was able to disable all anti virus software, crash IE etc. I noticed all the files on the computer were being replicated, and attempts to install "norton 360" kept occurring even though I used a different Norton product.

    After the recovery to the out of box state, noticed right away that the bug was still in. D/l couple programs right away and started to notice same issues with IE. Only program log that pulled the bad partition was "RogueKiller" ; Logs are attached. Thank You
     

    Attached Files:

    Last edited: Oct 30, 2013
    Heyman7, Oct 30, 2013
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are all clean. That partition is not a problem.
     
    chaslang, Oct 31, 2013
    #2
  3. Heyman7

    Heyman7 Private E-2

    RogueKiller found registry errors & IE still crashes when search terms relating to malware are pulled up. I'm not sure the rootkit/worm but it's still in the pc
     
    Heyman7, Oct 31, 2013
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No it did not. As stated, your logs are clean. Those are normal values.

    Since your logs are clean, perhaps you are having a Windows problem with your browser or perhaps it is Norton getting in the way. Disable or uninstall Norton to see what happens.

    You do not have an infection based on your logs but we can run a couple other scans just to get more opinions.



    Now download and save a copy of combofix.exe and save it directly onto your Desktop folder.
    • Then right click on it and select Run As Administrator. Do not disturb it by clicking in the window that opens or it may stall.
    • After it finishes, it may reboot your PC. Attach the C:\combofix.txt log that it creates.
    • If after running Combofix you discover none of your programs will open up because you receive the following error:
      • Illegal operation attempted on a registry key that has been marked for deletion
    • Then you will need to reboot your computer which will normally fix this problem.

    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
      Code:
      activex
netsvcs
drives
    • Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
    chaslang, Oct 31, 2013
    #4
  5. Heyman7

    Heyman7 Private E-2

    norton disabled again, uploaded new log from hitman pro which found something
     

    Attached Files:

    Heyman7, Nov 6, 2013
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Don't need it. Nothing was found. I already gave you instructions to follow 6 days ago. Still waiting.
     
    chaslang, Nov 6, 2013
    #6
  7. Heyman7

    Heyman7 Private E-2

    not sure how I missed that post, sorry

    logs attached
     

    Attached Files:

    Heyman7, Nov 6, 2013
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No malware problems in these log either. If you are having problems with Norton, I suggest that you uninstall it and run the below cleanup program too:

    Norton Removal Tool 21.0.0.14

    Then reboot your PC and see how it is running. Afterwards, reinstalled Norton if you plan to still use it.

    When PCs are returned to out of box state ( a factory restore ) that reimages the drive and you would not have malware problems unless the factory image was infected already in the factory or unless you some how managed to get a BIOS infection which is very rare and would not be detectable or fixable here anyway.
     
    chaslang, Nov 6, 2013
    #8
  9. Heyman7

    Heyman7 Private E-2

    This appears to be a BIOS infection. Even after factory reboot, a fresh copy of Norton AV was added. Shortly after, infection disabled it. N360 came with the laptop, that product was manually removed and a fresh copy was added. The infection overwrites the fresh copy with the N360.

    I'm convinced the infection must be a BIOS infection. The Hitman Pro log found something in the registry while in safe mode. It removes but again, entry is readded. Thanks for checking.
     
    Heyman7, Nov 6, 2013
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Very unlikely. I suggest that you simply uninstall Norton for now and use something else like one of the below to see what happens.

    AntiVir Personal Edition
    Avast! Home Edition
    Comodo AntiVirus 6.3.35694.2953
    Microsoft Security Essentials -

    No! Your Hitman Pro log was clean. Those items listed were just cookies which are not problems. If you open a browser to surf, you get cookies.
     
    chaslang, Nov 6, 2013
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds