Solve : Rootkit removal please help I feel like tearing my hair out?

1.	Solve : Rootkit removal please help I feel like tearing my hair out?
Answer» Done that and it found no rootkits I didn't think it would. We can do another scan to be sure. It will take a while but should put your mind at ease. Run the F-Secure Online Scanner for Viruses, Spyware and RootKits. Note: This Scanner is for Internet EXPLORER Only! Click on Online Services and then Online Scanner Accept the License Agreement. Once the ActiveX installs,Click Full System Scan Once the download completes,the scan will begin automatically. The scan will take some time to finish,so please be patient. When the scan completes, click the Automatic cleaning (recommended) button. Click the Show Report button and Copy&Paste the entire report in your next reply. Scanning Report Friday, February 20, 2009 23:28:25 - 01:04:35 Computer name: MR-F7ADB6866673 Scanning type: Scan system for malware, rootkits Target: C:\ F:\ Result: 3 malware found TrackingCookie.2o7 (spyware) * System TrackingCookie.Doubleclick (spyware) * System TrackingCookie.Webtrends (spyware) * System Statistics Scanned: * Files: 29726 * System: 2849 * Not scanned: 7 Actions: * Disinfected: 0 * Renamed: 0 * Deleted: 0 * None: 3 * Submitted: 0 Files not scanned: * C:\PAGEFILE.SYS * C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\SAM * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Options Scanning engines: * F-Secure USS: 3.0.0 * F-Secure Hydra: 3.6.8511, 2009-02-20 * F-Secure AVP: 7.0.171, 2009-02-20 * F-Secure Pegasus: 1.20.0, 1970-00-01 * F-Secure Blacklight: 0.0.0 Scanning options: * Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR * Use Advanced heuristics All that was found is cookies. Quote TrackingCookie.2o7 (spyware) TrackingCookie.Doubleclick (spyware) TrackingCookie.Webtrends (spyware) I never did put much faith in the AVG Antirootkit scanner. I think it's safe to say I was right..The AVG is still finding "C:\WINDOWS\System32\Drivers\azrbl4oh.SYS";"Hidden driver";"Object is hidden" If I still get BSOD do you think I should format the drive? I knew it was a problem with the drivers and I blamed the printer at first. One of the 1st blue screens said it was a driver problem and SOMETHING to do with the kernel stack. I have uninstalled just about everything and the problem persists so it can't be any legitimate driversThere aren't many unknown rootkits out there and whatever AVG is hitting on I think is not a rootkit but a system file it sees as malicious. A false positive. Although I could be totally wrong so you might want to ask in the AVG Anti-Rootkit forum why it's doing this.Ok many thanks for all your help. You've been brilliant. Thank you Click START then RUN Now type Combofix /u in the runbox Make sure there's a space between Combofix and /u Then hit Enter. . . The above procedure will: Delete: ComboFix and its associated files and folders. VundoFix backups, if present The C:\Deckard folder, if present The C:_OtMoveIt folder, if present Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Set a new, clean Restore Point. . ---------- 1. Double click OTMoveIt3.exe to launch it. Vista users right click and choose Run As Administrator 2. Click on the CleanUp! button. 3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?) 5. Once complete exit out of OTMoveIt3 ---------- Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. --------- I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Its still ll messed up. Another anti virus keeps coming up with sptd.exe as a problem and also OSA09.sys. Anyway looks like I am going to have to format after all. I have a problem though I would like to backup my drivers but as this is seemingly where the problem lies I will not be able to do this. Will I be able to find the drivers easily enough after formatting? Quote Another anti virus keeps coming up with sptd.exe as a problem What is another antivirus? Do you have virtual drives or daemon tools installed?Yes and unfortunately I cannot delete it because I deleted all those files before. So its kind of stuck on the systemIt's not malware, it's a Daemon Tools file. Download FindFile by Atribune 1. Extract the contents to your Desktop 2. Double click on FileFind.exe to open the program. 3. In the File: box enter sptd.exe 4. Click on the Search button. 5. Wait. If any files are found, a list of file locations will APPEAR in the List of Files: box. 6. Click on the Export button. 7. This will open a Notepad file named Export.txt. Copy and paste it to your next post please. There will also be a copy of the Export.txt saved in C:\Export.txt Also repeat the above steps for OSA09.sys

Answer»

Done that and it found no rootkits I didn't think it would.

We can do another scan to be sure. It will take a while but should put your mind at ease.

Run the F-Secure Online Scanner for Viruses, Spyware and RootKits.

Note: This Scanner is for Internet EXPLORER Only!

Click on Online Services and then Online Scanner
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

Scanning Report
Friday, February 20, 2009 23:28:25 - 01:04:35

Computer name: MR-F7ADB6866673
Scanning type: Scan system for malware, rootkits
Target: C:\ F:\
Result: 3 malware found
TrackingCookie.2o7 (spyware)

* System

TrackingCookie.Doubleclick (spyware)

* System

TrackingCookie.Webtrends (spyware)

* System

Statistics
Scanned:

* Files: 29726
* System: 2849
* Not scanned: 7

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 3
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 3.6.8511, 2009-02-20
* F-Secure AVP: 7.0.171, 2009-02-20
* F-Secure Pegasus: 1.20.0, 1970-00-01
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

All that was found is cookies.

Quote

TrackingCookie.2o7 (spyware)

TrackingCookie.Doubleclick (spyware)

TrackingCookie.Webtrends (spyware)

I never did put much faith in the AVG Antirootkit scanner. I think it's safe to say I was right..The AVG is still finding "C:\WINDOWS\System32\Drivers\azrbl4oh.SYS";"Hidden driver";"Object is hidden"

If I still get BSOD do you think I should format the drive?

I knew it was a problem with the drivers and I blamed the printer at first. One of the 1st blue screens said it was a driver problem and SOMETHING to do with the kernel stack. I have uninstalled just about everything and the problem persists so it can't be any legitimate driversThere aren't many unknown rootkits out there and whatever AVG is hitting on I think is not a rootkit but a system file it sees as malicious. A false positive.

Although I could be totally wrong so you might want to ask in the AVG Anti-Rootkit forum why it's doing this.Ok many thanks for all your help. You've been brilliant.

Thank you

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.
.
The above procedure will:

Delete:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

1. Double click OTMoveIt3.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt3

----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

---------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Its still ll messed up. Another anti virus keeps coming up with sptd.exe as a problem and also OSA09.sys. Anyway looks like I am going to have to format after all. I have a problem though I would like to backup my drivers but as this is seemingly where the problem lies I will not be able to do this. Will I be able to find the drivers easily enough after formatting? Quote

Another anti virus keeps coming up with sptd.exe as a problem

What is another antivirus?

Do you have virtual drives or daemon tools installed?Yes and unfortunately I cannot delete it because I deleted all those files before. So its kind of stuck on the systemIt's not malware, it's a Daemon Tools file.

Download FindFile by Atribune

1. Extract the contents to your Desktop
2. Double click on FileFind.exe to open the program.
3. In the File: box enter sptd.exe
4. Click on the Search button.
5. Wait. If any files are found, a list of file locations will APPEAR in the List of Files: box.
6. Click on the Export button.
7. This will open a Notepad file named Export.txt. Copy and paste it to your next post please.

There will also be a copy of the Export.txt saved in C:\Export.txt

Also repeat the above steps for OSA09.sys

Solve : Rootkit removal please help I feel like tearing my hair out?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment