[SOLVED] VIRUS/Rootkit => URL Blocked http://rk400.com/?sov=rook-s1ysoft.com

[thekochs]

No joy in Muddville.......still pops up. 

Attached is fixed/custom scan log and after reboot scan.

[jeffce]

Hi,

Let's try something a little bit different...

Are you able to download the Smart HDD program again if we removed it?  If so, please uninstall the program and see if you are still receiving the popups. 

[thekochs]

Hi,

Let's try something a little bit different...

Are you able to download the Smart HDD program again if we removed it?  If so, please uninstall the program and see if you are still receiving the popups. 

You mean DriveSitter ? 
http://www.otwesten.de/drivesitter/index.htm
Sure.....I can uninstall it no problem.
I have the installer and license key to re-install if needed.
Plus,  I have RollBack RX so I can easily roll back the system to point prior to uninstall.
FYI, I have five other PCs......two XP SP3, three W7 64bit, that use this program now....no pop-up.

Also, should I can also go ahead an try to unistall IE8, clean PC, then re-install IE8 ?
I should probably CCLeaner (use it alot) to clean reg, delete the C:Program Files IE directory, etc.
I can download the installer prior but only red flag there is it is only 16MB exe file. 
If I have no browser is this the full installer or will I be stuck in that this EXE is expecting and existing IE install to "upgrade" or use as web access ?
http://windows.microsoft.com/en-US/internet-explorer/downloads/ie-8

[jeffce]

Hi,

Yeah go ahead and remove it for now and let's just see what happens.  Don't worry about removing IE8 though. 

As for CCleaner...DO NOT use it as a registry cleaner and I don't recommend any software as a registry cleaner.  More often than not they cause much more harm than they are worth.  Sometimes they can even ruin the registry. 

[thekochs]

Yeah go ahead and remove it for now and let's just see what happens. 

I did the uninstall and what is wierd is on reboot I got the attached Windows error message on DriveSitter on screen at boot..
Also still getting the threat popups.
Something wierd going on with this....ideas ?...perhaps some way to remove this now in OTL custom ?
I ran a generic OTL scan and attached.

[jeffce]

Hi,

Could you attach a screen shot of the Avast warning that you are receiving please? 

[thekochs]

Hi, Could you attach a screen shot of the Avast warning that you are receiving please? 

See attached.

Wondering if DriveSitter is really un-installed but the "virus/malware" is still there hiding as DriveSitter and hence the Windows message ?
Any way to use OTL to blow away the rest of DriveSitter (or what is representing itself as DriveSitter) for good and see ?

[jeffce]

Hi,

Sorry for my delay.  I have been speaking with a colleague about your logs.  Let's try this...

You have both IE7 and IE8 on your system still.  Completely uninstall IE8 then check to see if the problem still occurs with Internet Explorer 7. 

[thekochs]

Hi,

Sorry for my delay.  I have been speaking with a colleague about your logs.  Let's try this...

You have both IE7 and IE8 on your system still.  Completely uninstall IE8 then check to see if the problem still occurs with Internet Explorer 7. 

Will do on Monday......not at home this weekend.

Also, how do I get rid if the remnants of DriveSitter ?
Is there a custom script in OTL you can provide that will remove whatever is giving me the Windows error ?

Thx.

[jeffce]

Hi,

Let's remove what we can see of DriveSitter with OTL.

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
O4 - HKLM..\Run: [DriveSitter Pro] C:\Program Files\DriveSitter\DriveSitter.exe (Oliver Marr)

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

----------

Download Revo Uninstaller

• Double click the installation file on the desktop to run the installer.
• Let it install to the default location.
• Double click the new Revo Uninstaller Icon on the desktop to start the program.

You will now see a list of installed programs that Revo Uninstaller can remove.

• Locate the program you are uninstalling <DriveSitter Pro>
  
• Right Click the Icon then choose Uninstall.
  
• Click yes to the warning and choose the Uninstall Mode
  
• Choose the Advanced option and then click Next.
  
• This will launch the programs built in uninstaller. Be patient it can take several seconds.
• Once the uninstaller is done click Next.
  
• Revo Uninstaller will now scan for leftover information. Be patient it can take several seconds.
• Once this scan is done click Next.
• You will then be presented of the leftover entries found by Revo Uninstaller
• Look at ALL of the entries to ensure they relate to the uninstall.
  
• Next click Select All > Delete to remove the entries.
  
• Click Next.
  
• If there are any program file folders left over you will be presented with a list to be removed.
• Again look at ALL of the entries to ensure they are related to the uninstall.
  
• Click Select All > Delete to remove the entries.
  
• Click Finish to go back to the uninstall list.
  
• Close the program

----------

In your next reply please attach the new OTL log and let me know if after uninstalling Internet Explorer 8 if the pop-ups still occur. 

[thekochs]

OK......I did the custom OTL scan/fix and attached is log.
After reboot I did not get the DriveSitter Windows error popup.
I then did regular OTL scan....attached is log.

I then downloaded, installed and tried REVO.....but guess DriveSitter was really gone.....it found nothing to uninstall.

I then opened IE8 and bang.....got the old threat popup.

I then went into ADD/REMOVE and first uinstalled a zillion IE8 updates.
I then uninstalled IE8.
I am now running IE7 and NO threat popups !!!!!.....so far. 

I'm going to wait a day or two with IE7 to see if this is just a fluke or not.....recall that this "virus" did go away awhile back for day or so.
Assuming it is solid with no issues for 3+ days......should I install IE8 again ?...I downloaded the install from MS for XP.

Regards.

[jeffce]

Hi,

Yeah let it run for a couple of days or until a popup happens again (hopefully it won't) and then let me know how things are going.  You could probably install IE8 again and not have any problems.  If I miss a response please be sure to PM me. 

[thekochs]

Hi,

Yeah let it run for a couple of days or until a popup happens again (hopefully it won't) and then let me know how things are going.  You could probably install IE8 again and not have any problems.  If I miss a response please be sure to PM me. 

OK....PC/IE7 has run all last week and no popups........
I'll let it run thru Monday and in afternoon I'll install IE8 again.
I will use CCLeaner for any items but for IE8 in Windows XP is there any folders or things I should delete out manually prior to install ?
I guess my fear is even though I'm installing new IE8 there is old DLL or something hanging around that is re-used.
With RollBackRX I can set a restore point prior to this so I can easily/quickly roll back prior to the effort.

[jeffce]

Hi,

Glad that your system is running well. 

When you download IE8 just go ahead and install it.  I don't think that there will be any problems and there is nothing you need to remove prior.  Like you said though...set a restore point just in case. 

[thekochs]

Hi,

Glad that your system is running well. 

When you download IE8 just go ahead and install it.  I don't think that there will be any problems and there is nothing you need to remove prior.  Like you said though...set a restore point just in case. 

Well......I thought this would be a no-brainer.......installed IE8....it even ran a scan of it's own on install for Malicious software.
Re-boot.....open IE8.....bang.....same old Threat Detected popup. 
So, I rolled back machine to IE7 and I'm done trying.
Somehow this thing is embedded in IE8 and even a uninstall-re-install (I CCleaned directories, registry, etc.) does not work.
Is there something you think I should have tried on IE8 install ?
If not....I'm done.