Please help with rootkit problem

[nastyhobbit]

Hi everyone

I'm new to the forums. Actually I was searching for some solution to my PC's rootkit problem that's why I'm here. Any help would be appreciated.

I've been using avast for a while now on my laptop PC (running 64-bit Windows 7 Home). And so far I didn't get any problems. But recently my laptop PC has been having problems. It's running pretty slowly and having trouble starting up in normal mode. A few days ago it started up normally but now it wouldn't at all. So now I'm running it in safe mode with networking. I did a full scan with avast and found a DLL file with the status -- Threat:Rootkit:hidden file. I tried to delete it with avast but I get the error message: Access is denied (5). Avast also found 7 other things but the status says-- Error: the request could not be performed because of an I/O device error.

Here is the screenshot of the avast log:


What should I do? My laptop still wouldn't start up in normal mode.

[jeffce]

Hi,

Hi and welcome!

Please visit the site located here.  Follow the directions
for running OTL, aswMBR.exe and Malwarebytes and then attach the logs that are created to your next reply. 

---------

[nastyhobbit]

Still running on Safe Mode with Networking...


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.02.07

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
nastyhobbit :: NASTY_HOBBIT [administrator]

8/2/2012 3:23:48 PM
mbam-log-2012-08-02 (15-23-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 206899
Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[nastyhobbit]

Still in safe mode with networking...

I've downloaded OTL and tried to run it as specified (all other windows closed, etc.). But it freezes at some point and it just hangs. I've tried to run it twice now and I get the same result. Am I doing something wrong? Should I just wait it out and (cross fingers) it'll finish the scan eventually?

I've also downloaded aswMBR and also tried to run it as specified. But at some point before it's finished, I just get the blue screen and the computer restarts. So I have no aswMBR scan log either.

Is my computer doomed?

[nastyhobbit]

Sorry about that. Third time's the charm, it turns out.  Here's the OTL scan log. And it took a while.

I'll try to run aswMBR again.

[nastyhobbit]

... and nope. I ran aswMBR again, but I got the blue screen midway and the computer restarted again. So I don't have the aswMBR scan log to show you.

[jeffce]

Good job getting that run.

Please download TDSSKiller.zip

• Extract it to your desktop
• Double click TDSSKiller.exe
  
• When the window opens, click on Change Parameters
  
• Under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  
• click OK
  
• Press Start Scan
  
• Do Not Attempt To Fix Anything Now.  We just need to look over the report and be sure we are removing the correct items. 
• Attach the log in your next reply
• A copy of the log will be saved automatically to the root of the drive (typically C:\)
  

----------

[nastyhobbit]

Okay, downloaded TDSSKiller and ran it. Here's the log.

Thanks a lot for your patience by the way.

[jeffce]

Hi,

You are more than welcome. 

Download Combofix from either of the links below, and save it to your desktop. 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. 

• Please post the C:\ComboFix.txt for further review.

[nastyhobbit]

Okay, downloaded Combofix and ran it. I disabled (or so I thought) my anti-spyware (Ad-Aware) and antivirus programs (avast) before I ran Combofix, but for some reason, Combofix still said they were running. I ran Combofix anyways and got this log.

By the way, the computer restarted by itself. The computer is still running in Safe Mode with Networking.

[jeffce]

Hi,

I see that you are running both Avast and AdAware Antivirus?  Using more than one antivirus program is not a good idea and could lead to more problems and actually less detection.  You may also be interested in reading this >> http://www.scmagazine.com/lavasofts-new-owners-operated-misleading-websites/article/209123/ in reference to AdAware.  I would suggest you remove one of them completely.
--------

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

ClearJavaCache::

DDS::
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
Trusted Zone: qq.com\cache.tv
Trusted Zone: qq.com\qqlivecaption
Trusted Zone: qq.com\qqlivehabit
Trusted Zone: qq.com\qqlivesearch
Trusted Zone: qq.com\video_1
DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - hxxp://download.ppstream.com/bin/powerplayer.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab

Firefox::
FF - ProfilePath - c:\users\nastyhobbit\AppData\Roaming\Mozilla\Firefox\Profiles\irygqewh.default\
FF - prefs.js: keyword.URL - hxxp://www.samenc.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=sJ8PfxwN&q=
FF - user.js: keyword.URL - hxxp://www.samenc.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=sJ8PfxwN&q=


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

[nastyhobbit]

I ran into the same problem as last time when disabling avast and Ad-Aware. I disabled avast by right-clicking the avast icon in the system tray and clicking "disable permanently". And I also disabled Ad-Aware by right-clicking the Ad-Aware icon and clicking "exit". I even opened the task manager to end all the processes I thought were related to both programs. But when I ran Combofix, it says both programs are running. I haven't clicked "OK" from the Combofix message box. What do I do to REALLY disable these programs?

[nastyhobbit]

I'm running the computer in Safe Mode with Networking, by the way. If that's significant.

[jeffce]

If ComboFix still shows they are running don't worry about it.  Just continue on.  It shouldn't cause a problem. 

[nastyhobbit]

Okay, that's a relief.
But now I have another problem (sorry, it seems the problems never end). The computer was shutdown unexpectedly (power outage... argh) while Combofix was running, and now when I restarted the computer and ran Combofix again, it's stuck at extracting files to output folder C:\32788R22FWJFW. What do I do?