Stuck with WinKrootKit Trojan

Cannot eliminate this WinkrootKit trojan. Virusscan says it is in the windows/system32/drivers/winik.sys file, but can't get to it. Tried everyting in your Read me First post..nothing works..I have tried attaching the Hijack this log, but am told the log is too large...help!

 

Zip the log and attach it.

 

I am attaching the hijackthis log as a zip file

 

Please make sure System Restore is OFF.

Please follow the directions in the following threads:
How to view hidden, system files & folders!

Searching for Hidden Files on WinXP

Running Ewido Security Suite

Post the Ewido log and a fresh HijackThis log as attachments when finished with the above.

 

I am attaching the ewido log ...I could not get a fresh hijack this log since the program froze after it scanned 5 times...and I could not get it to upload..can you use the log I sent last night?

thanks for your help

 

OK, we are going to have to do a manual fix. You have several instances of a running Trojan; When I say several I mean a couple hundred +.

Do the following:
Start -> Run

regsvr32 /u "C:\Program Files\svtrstsv\bIACI4xN.dll"

OK

NOTE: Use the quotes where I have them.

Run Regedit by doing the following:
Start -> Run

regedit

OK

Navigate to the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Delete every instance of the following:

Do the same for HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion

Now boot to SAFE MODE

Open Windows Explorer and DELETE the following:

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Now reboot to Normal Mode.

Run HijackThis and post a fresh log as an ATTACHMENT.

 

Thank you for the directions. I did as directed with the following problems:

When trying to delete C:\program Files\svtrstsv the system said ..cannot delete file bIACI4xN.dll and would not let me delete this

Could not find the following files to delete
C;|WINDOWS\system32\arpa.exe
C;]Documents and Settings\Owner\Application Data\uelo.exe

Hijack this log is attached

 

OK, some of the trojans mutated.

Follow the instructions in the below thread:

Running Ewido Security Suite

Once you have completed the scan post the Ewido log.

 

Thanks..mutations, huh...that's great...here is the ewido log

 

Download
- Pocket Killbox

Now scan and have HJT Fix the following:

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log as an ATTACHMENT.

 

Okay..all done except I could not delete the folder C\Program Files\svtrstsv due to the message "cannot delete profile.dat access denied..make sure disk is not full or write-protected and that file is not currently in use

I deleted the rest of the files in that folder and noticed there are other profile.dat files elsewhere

attached is most recent HJ log

 

Download and install
- Unlocker

Now scan and have HJT Fix the following:

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

If a file won't delete the right clck on it and make sure that Read-Only is UNCHECKED. If the file still won't delete right-click select Unlocker from the menu. When Unlocker opens click on the Unlock All button. Now delete the file.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis Log.

 

Did everything...had a little trouble with unlocker..couldnt get it to work..had to delete the c:\program Files\svtrstsv manually in normal mode

hijack this log attached

 

OK, it just doesn't want to die.

Follow the instructions in this thread:
Smitfraud and PSGuard Removal

 

thanks for helping to kill it, however slowly

smitfiles.txt attached

 

Now Download the Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

dMVGR9ov

Press 'OK'

The search will run for a while then alert you when it is finished. Press 'OK' and copy the contents of the WordPad window and post in this thread. If it is very long, an attachment would be better.

 

results for Registry Search:


REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "dMVGR9ov" 10/18/2005 12:42:30 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dMVGR9ov"="C:\\PROGRA~1\\svtrstsv\\bIACI4xN.exe"

 

Download and install
- ExplorerXP

CTRL+ALT+DEL, Click-on the Processes tab located and stop bIACI4xN.exe

Copy the contents of the below quote box to notepad and save as regfix.reg to you desktop.

Now double-click on regfix.reg answer 'YES' when asked if you want to merge with the registry.

Now run ExplorerXP, navigate to and delete C:\Program Files\svtrstsv <---- Delete the entire folder.

How boot to Safe Mode.

Using the Search function in the Start Menu, as per Searching for Hidden Files on WinXP, search for bIACI4xN.* on the hard drive, delete every instance of bIACI4xN.

Now boot to Normal Mode; run HijackThis and post a fresh log.

 

done...I could not find the svtrstsv file or folder, but was able to delete one instance of the bIACI4xn

log attached

 

Well, OK. That time it looks like we got the stubborn little bugger. Reboot your computer a couple of times, surf the net, use a couple of programs; then run HijackThis and post the log just to make sure it doesn't come back.

 

Thanks so much for your help. I'll let you know.

steve