Author Topic: |HELP| Cant delete rootkit or move to chest  (Read 17942 times)

0 Members and 1 Guest are viewing this topic.

FireCubic

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #15 on: February 24, 2012, 05:11:30 PM »
When I'm trying to install ERUNT I get that error

jeffce

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #16 on: February 24, 2012, 05:40:51 PM »
Hi,

Let's try another route.  :)
----------

Download Combofix from either of the links below, and save it to your desktop. 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
    When finished, it will produce a report for you. 
  • Please post the C:\ComboFix.txt for further review.

FireCubic

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #17 on: February 24, 2012, 07:07:11 PM »
Ok, about to do the Combofix thing now. What do i do about the 2 things that aswbr(what ever its called) found?

jeffce

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #18 on: February 24, 2012, 07:08:49 PM »
Hi,

We will clear those out.  :)  Just post the ComboFix log when you get it. 

FireCubic

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #19 on: February 24, 2012, 07:26:16 PM »
Is it supposed to be deleting C:\users\owner\appdata\roaming\windows & C:\windows\install?      Ok now it's just sittin there at deleting the folders I mentioned earlier
« Last Edit: February 24, 2012, 07:37:55 PM by FireCubic »

jeffce

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #20 on: February 24, 2012, 07:41:01 PM »
Just let it run.  :)

FireCubic

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #21 on: February 24, 2012, 08:15:58 PM »
Rebooting after like an hour :d posting logs when it reboots( 3 minutes or so)


And here is the log :)
« Last Edit: February 24, 2012, 08:40:20 PM by FireCubic »

jeffce

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #22 on: February 25, 2012, 01:51:15 AM »
Hi,

Seems like we have some files to look for...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Right-click and Run as Administrator SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
Code: [Select]
:filefind
*sfcfiles.dll
*ipsec.sys
*psched.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

FireCubic

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #23 on: February 25, 2012, 04:03:11 AM »
Found nothing ;'(

jeffce

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #24 on: February 25, 2012, 07:38:06 PM »
Hi,

Do you have your Windows CD available or are you able to borrow one?  :)  We may need it later.

FireCubic

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #25 on: February 25, 2012, 07:40:20 PM »
Edit found my recovery discs, And i do have a 32bit copy, not the 64bit one though;*

Another edit.. Opened the Windows Disk case, and it has a 32 bit copy AND 64bit so im ready for the next step;)
« Last Edit: February 25, 2012, 08:22:20 PM by FireCubic »

jeffce

  • Guest
Re: |HELP| Cant delete rootkit or move to chest
« Reply #26 on: February 25, 2012, 09:12:43 PM »
Great!  I am glad that you found it.  :)

Please download Farbar Service

Scanner
and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    FireCubic

    • Guest
    Re: |HELP| Cant delete rootkit or move to chest
    « Reply #27 on: February 25, 2012, 10:13:31 PM »
    Farbar Service Scanner Version: 22-02-2012
    Ran by Owner (administrator) on 25-02-2012 at 16:12:35
    Running from "C:\Users\Owner\Downloads"
    Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****

    FireCubic

    • Guest
    Re: |HELP| Cant delete rootkit or move to chest
    « Reply #28 on: February 25, 2012, 10:36:32 PM »
    Question, will the disc still work if it was used on another pc?(not 64bit but 32bit disk)

    jeffce

    • Guest
    Re: |HELP| Cant delete rootkit or move to chest
    « Reply #29 on: February 26, 2012, 12:52:34 AM »
    Hi FireCubic,

    Let's check something out before we continue...

    Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.

    Disable your AntiVirus and AntiSpyware applications.

    Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
    ---------