Author Topic: |HELP| Cant delete rootkit or move to chest  (Read 17943 times)

0 Members and 1 Guest are viewing this topic.

FireCubic

  • Guest
|HELP| Cant delete rootkit or move to chest
« on: February 22, 2012, 11:54:44 PM »
So, i scanned my computer today and i had a rootkit.. I clicked apply where it says if you'd like to remove or move it to chest and it said will be applied after restart(something like that) and it asked to do a boottime scan.. so i did. Nothing came up. And then i go to the scan log and try to delete it and i get this"Error access is denied(5)" The file directory is(if im not aloud to put this out here then tell me) C:\Windows\Temp\SDIAG_14ff66d-eab3-aa39-298c206cd949\DiagPackage.dll Also the status is Threat: Rootkit: Hiddenfile


I scanned immediatly after it said this with Hitmanpro, Superantispyware(both found nothing;'( ), and now im doing a scan with Microsoft windows malicious software removal tool to scan.. I for some reason cant download Malwarebytes as it says something like cannot find file and then the name.. Please give me anyinformation about how to remove the rootkit. Thanks!( malwarebytes randomly deleted itself on the 16th after i uninstalled itunes)..




EDIT: System restored to the day malwarebytes worked. Was able to install it with only one problem but it had done that when i first installed it(when i first got my computer). Currently scanning,will update if it detects anything. Also, installed TDSSkiller and Gmer.

EDIT#2: Malwarebytes and TDSSkiller detected nothing.

EDIT#3: Used CCleaner, McAfee Stinger & rootkit remover, and 1 other anti-rootkit. They found nothing aswell. still kinda on alert because i dont think its gone.. Also ran 2 more scans with Avast(full scans, found nothing)
« Last Edit: February 23, 2012, 05:09:12 AM by FireCubic »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: |HELP| Cant delete rootkit or move to chest
« Reply #1 on: February 23, 2012, 12:02:41 AM »
Follow the guide, and attach the OTL and aswMBR logs
http://forum.avast.com/index.php?topic=53253.0

FireCubic

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #2 on: February 23, 2012, 12:03:56 AM »
What does OTl and the other thing stand for? Sorry im a nub;P

FireCubic

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #3 on: February 23, 2012, 12:11:15 AM »
Follow the guide, and attach the OTL and aswMBR logs
http://forum.avast.com/index.php?topic=53253.0

When i downloaded OTl and tried to run it Avast poped up and said to move it to the chest(i didnt). is that bad or is it supposed to do that?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: |HELP| Cant delete rootkit or move to chest
« Reply #4 on: February 23, 2012, 12:18:32 AM »
no....so ignore.......OTL is a diagnostic tool and aswMBR is a rootkit scanner

FireCubic

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #5 on: February 23, 2012, 12:53:13 AM »
Pondus, after running the second thing it wants you todo my computer got The blue screen and said it shut down to prevent damage.. so i guess im outta luck there..

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: |HELP| Cant delete rootkit or move to chest
« Reply #6 on: February 23, 2012, 01:05:24 AM »
OK, Essexboy and Jeffc is notified so wait until they arrive........it may be several hours

jeffce

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #7 on: February 23, 2012, 01:45:21 PM »
Hi,

You mention the "second thing"?  Is that aswMBR.exe?  Were you able to get OTL ran?  If so please post both the OTL.txt and Extras.txt logs into your next reply.  :)

FireCubic

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #8 on: February 23, 2012, 08:40:08 PM »
I was able to run a scan with otl and then when I ran the avast root kit one got a blue screen and said window shut down to prevent damage. I'm currently not at my house but when I get there I'll get on my computer and post the logs. Possibly I'll retry the avast root kit scanner and see what it said under the windows shutdown blue screen as I cant remember

jeffce

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #9 on: February 23, 2012, 08:44:53 PM »
Hi,

For the time being don't run any other scans so that we can see what we are dealing with.  When you are able to do so just post the OTL logs and we can go from there.  :)

FireCubic

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #10 on: February 24, 2012, 12:44:28 AM »
Jeff, I system restored last night and the logs are gone.. Should I try a scan with otl just incase or no?

FireCubic

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #11 on: February 24, 2012, 02:18:42 AM »
Re did the scans, this time the aswbr(what ever its called) didnt give me the blue screen and it found 2 things(outta 5 ;/) posting the attachments now;)

jeffce

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #12 on: February 24, 2012, 03:18:09 AM »
Hi,

Not a lot is showing up in your logs now that you did the system restore.
----------

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
IE - HKU\S-1-5-21-2807712318-2501942183-506546610-1000\..\URLSearchHook: {37483b40-c254-4a72-bda4-22ee90182c1e} - No CLSID value found
IE - HKU\S-1-5-21-2807712318-2501942183-506546610-1000\..\URLSearchHook: {9a9d7930-001b-4e0c-a8ca-f16080dbfc85} - No CLSID value found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
O2:[b]64bit:[/b] - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - MRI_DISABLED - No CLSID value found.
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-2807712318-2501942183-506546610-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-2807712318-2501942183-506546610-1000\..\Toolbar\WebBrowser: (no name) - {9A9D7930-001B-4E0C-A8CA-F16080DBFC85} - No CLSID value found.
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk =  File not found
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk =  File not found
O4 - Startup: C:\Users\Mcx1-OWNER-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk =  File not found
[3 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2011/05/27 16:09:47 | 000,009,392 | -HS- | C] () -- C:\Users\Owner\AppData\Local\s7846w86gi86yo4j3444wfp8hl
[2011/05/27 16:09:47 | 000,009,392 | -HS- | C] () -- C:\ProgramData\s7846w86gi86yo4j3444wfp8hl
[2011/05/21 21:16:18 | 000,008,704 | ---- | C] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Files
ipconfig /flushdns /c

:Reg

:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered.  There will be a log created when it completes that I will need in your next reply.  Reboot when it is done.
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

FireCubic

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #13 on: February 24, 2012, 03:49:40 AM »
Jeff, i get this error when i try to install it." Access violation at address 8B12EB00. Read of address 8B12EB00." What does that mean exactly?

jeffce

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #14 on: February 24, 2012, 01:38:57 PM »
Hi FireCubic,

What exactly do you mean "when I try to install it"?  Are you trying to run the fix that I provided and that is creating the error or explain what you mean by that.