Rootkit Virus

Hello again! This time I'm helping my boss with his Latitude E6500 (XP-Pro SP3). He appears to have gotten some kind of Rootkit virus; one that causes all icons and programs to be hidden.

I've seen one of these before, so I ran the following:
> Unhide, MBAM, TDSSKiller
> Attached are logs, including MGTools

It appears to be running normally now, but you guys usually have a thing or two that you recommend I should do.

I appreciate your help.

 

Sorry, forgot ComboFix and SAS. I just ran these along with MBRCheck, and logs are attached.

Something I just noticed that I didn't see before: The Programs list in the Start Menu shows lots of empty folders/invalid shortcuts (screenshot attached). I do see MS Word, for instance, in the C:\Programs folder, and I can launch an existing Word doc from the desktop, so the program is actually still on the station. So how do we get the Start/Programs menu back?

Thanks!

 

Results:

1) The accrestore did restore the Accessories list, but only that one. All the other Start menu items are pretty much empty.
2) Your posted "Enable Pin to Start Menu for Folders in Windows Vista / XP" link was a duplicate of the accrestore download.
3) The only 04-HKUS files shown on the MGTools analyse scan did not match the two you show below, so I did nothing there.
4) The only file in C:\Documents and Settings\NetworkService\Application Data\Sun\Sun is fptjnmg.dll
5) "\Device\Harddisk0\DR0 ( TDSS File System )" which was found with TDSSKiller doesn't have Cure as an option, so I've been skipping it. I didn't want to Delete without confirming with you this is what you mean by having it "fix" it. Just let me know on that, please.

Attached are the MGlogs file and the TDSS log. Thank you!

 

Hi there. I'm not sure what you mean about removing items from the Programs list. Everything? MS Office, Safari, Startup, Dell Accessories, etc, etc. How can the laptop be navigated efficiently without programs listed in the Start/All Programs menu? Is there any way to restore them as they were before the virus? Is there anything I did as far as virus removal that caused this and that I shouldn't do again? (I'm having this same problem with my boss's wife's computer, which we have open under another ticket.)

I deleted the TDSS entry that showed during the scan. I've attached a new log.

I deleted the dll file from the Sun folder.

Thanks again!

 

Hi there. I was out of town all this last week. Back to these two laptops! Update:

> Restore Admin Tools appears to have put this back into the Control Panel, although I don't see it in the Start Menu (not sure if it was there before).

> Repair.vbs: What this appears to have done is create another copy of the C:\Programs folder. Was that the intention? If I understand you correctly, what you're saying is that I can drag shortcuts from the executable files into the C:\D&S\User\Start Menu\Programs folder. It will create shortcuts in the Start Menu that will be labeled whatever I call them, but it will not "restore" the former shortcuts. For instance, where the Microsoft Office Start Menu shortcut used to show a list like "Microsoft Office 2003" and "Microsoft Excel 2003," when I drag and drop my own shortcuts, unless renamed, they will show "Shortcut to EXCEL" and "Shortcut to OUTLOOK" etc. Then if I create new shortcuts, I would delete those that are empty now. Is that right? If this is correct, then I don't really want to shortcut to the Recovery folder; but to the folder on C that I mention above, correct? If so, then I can just discard the Recovery folder?

> One more thing on the Start Menu: I don't see some of the "standard" shortcuts like under Accessories, "Communications" is empty. I don't see any way to shortcut to this. Also, for instance, "Games" is also still empty, and I don't know where I would find these.

> Quick Launch Toolbar: This is still enabled but the shortcuts aren't showing on the toolbar. Must I recreate these manually as well because the "default" QL toolbar will never come back?

> Smart HDD shortcuts: These are still on the desktop and within the Start Menu (figures *that* would stay in the Start Menu! ;-). They appear to be shortcuts to an exe file in C:\D&S\All Users\App Data which is not actually there. Do I just delete those shortcuts now?

I appreciate all your guidance on this. I'm sort of the go-to person for everyone I know who gets a virus, and I have a feeling I'm going to come across this one again soon. In the case of the two laptops I'm working on now, they have the original program disks and product keys, so I'm considering reformatting and reinstalling. I may not have that in the future, though, so I'd like to know how far we can go to restore normal function without reformatting.

Your insight is very welcome.