Possible rootkit

A few days ago, I decided to customize the look of my Windows 7 setup. I'm not sure what I ran (there were quite a few things involved!), but I think something must have come with malware. When a restarted my laptop, I was welcomed with some kind of hard rock/hair metal music and a changed logonUI background.

I disabled startup sounds and implemented a custom background for the logonUI, which I was planning on doing anyways. I figured it was just an annoying change by one of the customization programs. Then Chrome started acting up with "The application was unable to start correctly (0xc0000022)" errors. They would pop up sporadically.

I did a search for that and came upon a post at the Google support forums. (http://code.google.com/p/chromium/issues/detail?id=24704) All indications were that this error is the result of a rootkit. I ran Microsoft Security Essentials overnight; nothing was found. I ran everything in the readme, but only one case of "Malware.Trace" was found by SUPERAntiSpyware.

I don't get the Chrome error anymore. However, if I re-enabled startup sounds and disable the custom logonUI background, the malicious changes are still there. From what I read in the Google support forums, the possible rootkit is hidden very well and not easy to clean out. I'm hoping I got it before and that fixing the logonUI stuff is simple.

I'm running Windows 7 Home Premium, 64-bit.

 

Welcome to Major Geeks!

I will review your logs. Please be patient as there is a lot of information to review.

 

Have you uninstalled any of the Win7 customization tools you had? I see the remnants of some, but I want to make sure you are wanting to completely get rid of them before we proceed. Please let me know in your next response

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

1. Double-click SystemLook.exe to run it.
2. Copy the content of the following codebox into the main textfield:
   
   Code:

   :filefind
   explorer*.*

3. Click the Look button to start the scan.
4. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (How to attach items to your post)
   Note: The log be found on your Desktop entitled SystemLook.txt

 

I've uninstalled some of the customization I had. I tested several icon-changers, but ended up using this one: http://mr-ragnarok.deviantart.com/art/Token-IconPack-Installer-207280582

I don't remember all of the icon-changers I tried and my cache and temporary files have been deleted, so I can't go back and see. Other than that, the only other things associated with the customization are the following:

• gdipp
• Windows 7 Aero Blur Tweaker (uninstalled)
• Windows 7 Start Button Changer
• Windows 7 Navigation Buttons Customizer

The customization I'm using is from deviantART: http://dpcdpc11.deviantart.com/art/Maverick-for-Win7-194347855

My best guess is that one of the icon-changers I tried came with malware. I don't think the theme or the button changers caused it, since those are fairly popular programs.

I've attached the log.

 

Please complete the Step 6 here (use Defogger).

Go to the below link and follow the instructions for running TDSSKiller by Kaspersky

• 
  TDSSKiller - How to run
  Remember to attach your log from TDSSKiller (How to attach items to your post)

Please also download MBRCheck to your Desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking on it (Vista and Win7 right click and select Run as Administrator)

This will automatically update all the logs in MGlogs.zip!
Make sure you click Accept on the License Agreement from HiJackThis!/analyse.exe twice (yes twice) if prompted.

Then attach C:\MGlogs.zip to your next message (How to attach items to your post)

 

The Chrome error returned yesterday. Like before, it shows up at random.

 

Hi DylanH,

Your logs are clean from malware.

Code:

C:\Program Files (x86)\gdipp\gdipp_common_32.dll

Is hooked into Google Chrome (chrome.exe). I have a strong feeling that this gdipp program/customization addon that you have installed and want to keep is conflicting with Google Chrome.

My suggestion would be to uninstall anything related to it (gdipp, perhaps some of your other addons too) that can be uninstalled and manually delete the rest of the files and folders from it. Then reboot. After reboot, if there are any problems with Chrome, uninstall it, reboot and then reinstall Chrome.

Your remaining problem with chrome.exe crashing randomly are not due to malware. I would recommend getting help at our Software forum regarding this issue.

Best of luck

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!