Not able to get rid of a Rootkit

[viper260886]

here u go...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:36 AM, on 09/20/09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Avast Antivirus\aswUpdSv.exe
D:\Avast Antivirus\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\Avast Antivirus\ashMaiSv.exe
D:\Avast Antivirus\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
D:\AVASTA~1\ashDisp.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\Resources\Themes\Vista_Anthracite\VistaStart\VistaStart1.3.exe
C:\Program Files\Sify Broadband\BBClient.exe
D:\Internet Download Manager\IDMan.exe
D:\Internet Download Manager\IEMonitor.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
D:\Mozilla Firefox\firefox.exe
D:\Winamp\winamp.exe
D:\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sify.com
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] D:\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [VistaStart1.3] C:\WINDOWS\Resources\Themes\Vista_Anthracite\VistaStart\VistaStart1.3.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [Broadband] C:\Program Files\Sify Broadband\BBClient.exe
O4 - HKCU\..\Run: [IDMan] D:\Internet Download Manager\IDMan.exe /onboot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download all links with IDM - D:\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B157D0D1-4CA7-4AA4-8DAF-6496243DE920}: NameServer = 202.144.115.4,202.144.66.6
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Avast Antivirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Avast Antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Avast Antivirus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Avast Antivirus\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3850 bytes

[DavidR]

Your system is well out of date as I said before and as such leaves you more vulnerable to attack, so you need to bring it up to date as a matter of urgency.

I don't see anything obvious that would be causing the opening of the pages you listed.

[viper260886]

Thnx 2 everyone who helped...

I think that rootkit has been deleted at last...
but my system has become too slow over the last few days.... especially the boot time...
i even uninstalled all the programs that were used to get rid of the rootkit.. including MBAM, RootRepeal, Hijack this, CCleaner, Secunia, Etc

Your system is well out of date as I said before and as such leaves you more vulnerable to attack, so you need to bring it up to date as a matter of urgency.

I don't see anything obvious that would be causing the opening of the pages you listed.

is there anything that wud suggest that my system is out of date excluding SP2..
IE may be out of date but i don't use it anyway

THNX AGAIN   

[viper260886]

oh n btw, the C:\WINDOWS\system32\ntoskrnl.exe still hooks many of the processes as mentioned earlier... how do i clean that??

[mkis]

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Your system is well out of date viper. Your need to be up to date with Microsoft if you want to keep running Windows. To do otherwise you need to be expert with Microsoft platforms.

Problem is you do run Windows. Once up to date, you can make steady progress detect, identify, remove and protect against malware. But otherwise, it is all a bit of a lottery, you won't know for sure how well you doing.

[DavidR]

<snip>

Your system is well out of date as I said before and as such leaves you more vulnerable to attack, so you need to bring it up to date as a matter of urgency.

I don't see anything obvious that would be causing the opening of the pages you listed.

is there anything that wud suggest that my system is out of date excluding SP2..
IE may be out of date but i don't use it anyway

Yes, SP3 has been out for over a year, and there is little point in chasing the ntoskrnl.exe issue in an out of date system, as who knows the update may change how that functions.

Contrary to your statement you do use IE, it is integrated into the OS and can still be exploited. It is used to display help files, folder structure in windows explorer, email preview window if you use Outlook Express, and some other things. So you do use it and it needs to be updated.

I have IE7 as I really don't think IE8 is mature enough and there are some issues with it reported in the Windows Secrets newsletter, so I will wait a while yet before I install IE8.

Acrobat is also way out of date, vulnerable to exploit and a huge target by malware because of its large user base. So old versions need to be uninstalled and the latest installed.

That is why I gave you the link to the Secunia check as there are more applications that it checks and insufficient information to say what version of some apps you have installed, like winamp.

[CharleyO]

***

i even uninstalled all the programs that were used to get rid of the rootkit.. including MBAM, RootRepeal, Hijack this, CCleaner, Secunia, Etc

If I am not mistaken, uninstalling the above programs will not help your boot time since none of them should be running at boot time ... unless you have a "paid for" version.


***

[viper260886]

Hey... remember the sites i mentioned??? I found a solution 4 it...
m posting it here just in case some1 else needs it!!! 


stop www. thenewspedia. com from opening in browser
Does your browser automatically opens www(dot)thenewspedia(dot)com ?

This is probably a virus or worm which doesn't harm your computer system but only opens the link i.e. www. thenewspedia. com uncondinationably. Actually this is a browser hijacker effecting IE (Internet Explorer) and Firefox. It simply promotes thenewspedia by opening up the site randomly while you are browsing or opens up along with homepage even if you have no set it as your homepage.

As a browser hijacker, it takes controll over your browser so you should immediately remove it as to avoid future harms. So here's the removal steps:

REMOVAL

This is caused by a file named nissan.exe and here I have described 3 methods to remove it.

METHOD I:

Open registry editor by going to Start->run->regedit and hit enter.
Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

you will see an entry named "taskman" with a value similar to "C:\RECYCLER\S-1-5-21-3028898713-081331...

Double click it and you'll see its path like C:\RECYCLER\S-1-5-21-3028898713-0813311981-684376638-1852\nissan.exe

This file is the cause of the mess as it tells windows to execute the file. So, you have to delete the key "taskman" but before that copy your path address (C:\RECYCLER\S-1-5-21-3028898713-0813311...\) except nissan.exe and navigate to the folder by pasting it in run. Now delete the key.

When you open the folder recycler folder nothing will be shown. This is because it is set to super hidden state. Use "attrib -h -s -r" command in run like start->run->[attrib -h -s -r C:\RECYCLER\S-1-5-21-3028898713-0813311981-684376638-1852\nissan.exe] to remove any attribute and then delete it.

Or alternatively, you can use "unlocker" to delete the folder. This is a free and handy utility to move or kill or delete files when locked by other windows services.

Download link:
http://ccollomb.free.fr/unlocker/#download

METHOD II:

Use malwarebytes anti-malware. This is a free tool for removing any malwares, worms, trojans, etc and is updated frequently so I would suggest trying www.malwarebytes.org and downloading their free anti-malware as you might have other worms too.

METHOD III:
You can use this direct removal tool too
http://www.prevx.com/filenames/X1371355467920112549-X1/NISSAN.EXE.html

Unfortunately neither Avast nor Mbam detects it.... 
i used the FileAssassin option in mbam to delete the Nissan.exe file

[Lisandro]

Unfortunately neither Avast nor Mbam detects it.... 

Did you send the file for analysis and help improving detection?
Send an email to virus (at) avast (dot) com. Thanks.

[swar]

hey viper...

i am facing the same problem.....
i tried removing it manually but iam unsuccesful...
for eg...when running attributes prog..nothing happens. could u further simplify ur process.
or guide me to the site where u found the solution.
thx

for moderator: this is the okobarfest.exe virus/malware which avast is unable to detect.

[mkis]

Oktoberfest.exe is currently being reviewed by Prevx

"The most common objects with the name of OKTOBERFEST.EXE have yet to be classified as safe by our research department"

http://www.prevx.com/filenames/981336025384161385-X1/OKTOBERFEST.EXE.html

[viper260886]

Hey swar...
sorry 4 the late reply...

but i dont exactly remember the site... 
I just googled "newspedia virus"

btw the procedure has been posted here... is there ant thing specific that u dont get...
wud be glad to help u