| General Discussion Undecided where to post - do it here. |
| Reply to Thread New Thread |
04-30-2011, 06:21 AM
|
#1 |
|
|
 Please help with nasty virus (rootkit?)!!!!
Its the PC of my sister, and I dont know what she did, but the effect is this:
I can start the PC, and Windows starts to load. Then a black screen comes with something like "rootkit... blabla" and then the login screen of Windows shows up. I can log on and get to the desktop. But all desktop icons are gone but the trash, and all folders and drive C: are gone. A few are still there, but they are all empty! The data seems to be still there though, as the de install function in the control panel still shows all installed programs. This really sucks. I cant do a re install until I can save her data. She has loads of work for her Uni courses on the drive and lots of personal stuff. Of course I didnt do a backup, girls dont do that I guess. Anyway, PLEASE HELP! Do you have any idea what kind of virus/trojan/rootkit this could be, and how I could get rid of it without doing a format c:? [help]  [help]Edit: This is the HiJackThis logfile: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 00:29:04, on 30.04.2011 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16982) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\DivX\DivX Update\DivXUpdate.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Users\Maxime\Desktop\Hijack\HiJackThis204.exe C:\Windows\system32\SearchFilterHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin \IE\rpbrowserrecordplugin.dll O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - Global Startup: Sweex WC060 series snapshot button monitor.lnk = ? O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files\ICQ7.2\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files\ICQ7.2\ICQ.exe O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{2BF28851-67C9-4E2F-ACF1-725C3FC386D3}: NameServer = 192.168.0.1 O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: Dienst "Bonjour" (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- End of file - 6121 bytes |
|
|
04-30-2011, 06:32 AM
|
#2 |
|
|
Your best bets are TDSS Killer by kapersky and or Combo fix..
All her files are still there, I've seen this on a few computer.. Sounds like she got a nasty fake AV.. All her documents are going to be set as Hidden / Read only.. You'll just have to go show all files and folders and hidden system files then right click on the folders and uncheck hidden / read only.. Do Combo fix / Tdss killer in safe mode. Just be sure if Tdss killer find something to cure and not delete it. Should solve your problems, good luck If worse comes to worse and you have to reinstall.. Vista/ 7 have a nice feature that allows you to put all her documents in a windows.old folder.. Very handy.. |
|
|
|
04-30-2011, 06:45 AM
|
#3 |
|
|
Once you get rid of the root kit you need to use this command in cmd:
attrib -h -s -a -r fullpath to the directory\* /s /d i.e. attrib -h -s -a -r fullpath to the C:\users\Streifenkarl\* /s /d That will un-hide everything in that folder and the folders inside of it. Which will allow you to back up, and reinstall. But if it's infected it'll probably rehide everything. |
|
|
|
04-30-2011, 07:19 AM
|
#4 |
|
|
Thanks for the replies.
I was able to "unhide" all the folders, just by enabling show hidden folders. And antimalware found something called fakeav, but it cant seem to kill it off, as all files are hidden again, when I reboot. But at least I found the precious files. Photos, uni work (doc and pdf), and mp3/video files shouldnt be infected, right? |
|
|
|
04-30-2011, 07:28 AM
|
#5 |
|
|
Your normal files shouldn't be infected, you just got a nasty Fakeav scam program.. All the hidden files and root kits are basically only there to prevent you from ridding your self of it.. The root kit will cause redirects so you get infected again.
Did you run Malewarebytes? Great for getting rid of fake AV's, on the occasion you'll get those pesky ones that it wont get rid of.. You'll have to manually delete.. Usually they like to hide in local settings, app data, roaming.. ATF cleaner is great for getting rid of you temp internet files.. They also hide in there for re-infections. Be sure to update Java.. From what I've been reading is they're using old versions of java exploits.. |
|
|
| Reply to Thread New Thread |
«
Previous Thread
|
Next Thread
»
Linear Mode
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
|
|
