Jump to content
☆!Click here for PC Matic product support!☆ ×

Change Mode

Rootkit troubles

ADubois

By ADubois,
in Viruses, Spyware, Adware

 Share Followers 0

Recommended Posts

ADubois

ADubois

Posted
Posted

Hello there,

I’m hoping some of you may be able to help me out. On my laptop (Dell, win XP pro) I use Firefox and avast free edition. I noticed the night before last that when I go on the internet which is mostly what I use the laptop for. While browsing with firefox I’d get a window pop up saying internet explorer but it would have the firefox icon on it but the popup would be blank. I could close it but it would popup again a few minutes later. It was getting to late to mess with so I shut down. Last night on boot up avast popped up saying “malware rootkit” and it had an address to the location but I didn’t write it down. Avast gave the option to delete it or send it to the chest, it recommended sending it to the chest so I tried to send it to the chest. After a couple attempts avast popped up with a screen saying it wasn’t safe to uninstall the bug with windows and it recommended letting avast reboot and run the scan before windows booted. So I did and it came up with the rootkit bug and options on what to do I chose send it to the chest as that’s what it suggested when it first found the bug. It completed the scan and everything seemed to be ok.

Now on boot up windows pops up with a box saying:

“Error loading C:\WINDOWS\system32\gizisuyo.dll The spicific module could not be found.”

I do know that the C:\WINDOWS\system32\gizisuyo.dll was part of the address that was shown with the rootkit warning.

I closed the box and went online using firefox and I still get the internet explorer box popup every couple minutes with the firefox icon on it and just a blank page.

When I try and shut down the laptop I get the closing program box popping up saying:

“rundll32.exe” not responding

If I let it go through the few seconds it takes to try and end the program it pops up saying program not responding so I just click “end now”.

I can’t find the Avast chest that this was supposed to be sent to. To try and put back the missing file and approach it another way.

I’m not sure what the best approach to this is at this point any help would be greatly appreciated.

Alan

Link to post
Share on other sites
ADubois

ADubois

Posted
  • Author
Posted

Well it took a combination of scans but it looks like everything is all clean now. First I ran house call. It eliminated a couple trojans but there was one it said it couldn't remove. Then I ran the rootkit program bit it said it didn't find anything. I downloaded malware bytes. It removed several things but everytime I rebooted there was a rootkit warning from avast. So I ran avast two more times and now when I reboot nothing pops up. So I think it's ok now.

Thankyou for the help.

Alan

Link to post
Share on other sites
ADubois

ADubois

Posted
  • Author
Posted

I ran the DR Web and it came up with more Trojans and bugs. It said it successfully cured them. I thought all was well, the other scans were coming up clean. Before I ran the DR Web I was googling "static electricity" and when I clicked on one of the results something popped up saying my computer was infected and tried to start running a scan. A screen popped up it had two options run scan or cancel I clicked cancel and boom it starting running a scan anyway. I got it stopped I don't know if that did something or if there was something on my computer that brought it on. We'll just keep checking. Hopefully that's the end of it and there isn't something buried in there that comes up on boot starting a cluster of bugs whenever it wants.

Thank you

Alan

Link to post
Share on other sites
Wademan

Wademan

Posted
Posted

Hello ADubois'

I would like for you to run one more scan, it could be you have a variant of a vundo infection. The newer variants are very hard for most AV scanners to remove, this one should be able to do so. There are some newer Vundo variants that contain rootkits and it takes special tools to remove an clean the infected PC.

 

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan

    Wait for the scan to finish

  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE ic

on in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

 

 

lets see what eset finds. :)

 

Wademan

Link to post
Share on other sites
ADubois

ADubois

Posted
  • Author
Posted (edited)

I can't get it to run a scan. I've gone so far as to turn off all my security settings for active x. Now my laptop say's my computer is at risk. When asked if I want to run the active x I click yes and the dialog box goes off but nothing else happens. Maybe it's a security setting I've got but I'm not sure what to do next. I've tried making it a trusted site and that isn't helping me get past the active x dialog box still once I allow it the dialog box goes away but nothing else happens just a white screen.

Alan

Edited by ADubois
Link to post
Share on other sites
mme

mme

Posted
Posted

check your add-ons in your internet options

under program tab

manage add-ons

see if there are enabled

if they are then

click on security tab

restricted sites

reset all to default

click apply and ok to close

you can do the same for all your sites

but the annoying thing about it is

you get a warning or lil pop-up

letting you know about unsecure or secure site

have you tried running malwarebytes again

and try kaspersky

 

http://www.kaspersky.com/virusscanner

Link to post
Share on other sites
ADubois

ADubois

Posted
  • Author
Posted

mme... I tried what you suggested and I can't get eset to run. When I went to kaspersky online scanner it said it wouldn't remove any malware and that I'd have to download the free trial version. When I downloaded and started to install it said I'd have to remove avast. So I went ahead and ran malwarebytes again it came up clean. I'm not sure if kaspersky's trial version is a strong enough tool that I need to remove avast run kaspersky then reinstall avast.

One of the bugs that house call found and couldn't uninstall was TROJ_VUNDO.HGO but after running malwarebytes the first time and then rerunning avast it seemed like it was removed. I don't remember and I didn't write down what it was that DR Web found that it said it cured. I'll try house call again and see if it shows anymore.

Alan

Link to post
Share on other sites
Wademan

Wademan

Posted
Posted

I can't get it to run a scan. I've gone so far as to turn off all my security settings for active x. Now my laptop say's my computer is at risk. When asked if I want to run the active x I click yes and the dialog box goes off but nothing else happens. Maybe it's a security setting I've got but I'm not sure what to do next. I've tried making it a trusted site and that isn't helping me get past the active x dialog box still once I allow it the dialog box goes away but nothing else happens just a white screen.

Alan

 

Ok..Are you using INTERNET EXPLORER? This has to be done using IE. Now, Select Tools at the top of IE then, Internet properties, then select Advanced, and finally select restore advanced settings ( box lower right ).

 

Now, using that IE window try an run Eset. All you need to do for the active X is, when prompted, simply select "allow active x to be installed" no other changes need to be made..Eset should run then. Make sure you do exactly as I suggested above. Also be sure an run Eset as I advised above an paste results. If it still don't work, don't worry about it, we will try another idea.

 

Kaspersky online scanner will Not remove threats, it will just list them. It is useful when we use HJT as a diagnostic tool only. Also like Mme said you did remove Avast completely before installing Kaspersky? You can Not have 2 AV scanners running at once. I use kaspersky myself, but no AV can remove every single virus/,malware there is. Did you run kaspersky after updating it first then do a Full scan? If so what was found?

 

How is pc running? Also be careful when using Google an clicking links. You need to get this free tool if you don't already have it, it will protect you from most Rouge/bad Google links for free. Here> http://www.javacoolsoftware.com/spywareblaster.html Once downloaded, update it, an then make sure " enable all protection" is done near the bottom on the Protection status screen. This will prevent over 13,000+ bad site from infecting you. It uses no resources either, so this will not slow down your pc.

 

Try all of the above an post back as advised above. :)

 

Wademan

Link to post
Share on other sites
ADubois

ADubois

Posted
  • Author
Posted (edited)

Ok..Are you using INTERNET EXPLORER? This has to be done using IE. Now, Select Tools at the top of IE then, Internet properties, then select Advanced, and finally select restore advanced settings ( box lower right ).

 

Now, using that IE window try an run Eset. All you need to do for the active X is, when prompted, simply select "allow active x to be installed" no other changes need to be made..Eset should run then. Make sure you do exactly as I suggested above. Also be sure an run Eset as I advised above an paste results. If it still don't work, don't worry about it, we will try another idea.

 

 

 

How is pc running? Also be careful when using Google an clicking links. You need to get this free tool if you don't already have it, it will protect you from most Rouge/bad Google links for free. Here> http://www.javacoolsoftware.com/spywareblaster.html Once downloaded, update it, an then make sure " enable all protection" is done near the bottom on the Protection status screen. This will prevent over 13,000+ bad site from infecting you. It uses no resources either, so this will not slow down your pc.

 

Try all of the above an post back as advised above. :)

 

Wademan

 

I may have not printed it clearly but I didn't install Kaspersky as I wasn't sure if it would remove the same thing that eset is supposed to. I did shut off avast but Kaspersky said avast would have to be removed before installing Kaspersky. Running DR Web came up clean, avast comes up clean, malwarebites came up clean, super antisypware came up clean, A2 came up clean, house call came up clean. But as I said above I did see the TROJ_VUNDO.HGO show up on house call because I wrote it down. I would like to get Eset to run I'm just having a time doing it.

 

I set the properties just as stated above. When I go to Eset and accept the terms of use. I get a dialog box saying The publisher could not be verified. Are you sure you want to install this software? I click on "Install" and nothing happens I've gone to tools and manage add-on to make sure all the active x add-ons are enabled and they are. I don't see anything that says eset.

 

My laptop does seem to be working fine. I've not had any of the issues I was having. I'd just like to make sure it's clean.

Alan

Edited by ADubois
Link to post
Share on other sites
mme

mme

Posted
Posted (edited)

heres a manual way of checking to see if the trojan is still in registry

http://threatinfo.trendmicro.com/vinfo/vir...GO&VSect=Sn

 

you can delete those entries

be sure to follow the registry key carefully

before you delete them

if you unsure leave it

and a hijack expert can help

in this situation

Edited by mme
Link to post
Share on other sites
mme

mme

Posted
Posted

theres is a good chance that restore points have been infected

turning system restore off will clean restore points

the draw back is you wont have any restore points

however you you can turn it back on and new restore points will be created

so turning it off is good in this situation

but after you restart your computer turn system restore back on

once those restore points are gone the change is irreversible

only new ones will be created with downloads and installs not too mention system point check

Link to post
Share on other sites
ADubois

ADubois

Posted
  • Author
Posted

theres is a good chance that restore points have been infected

turning system restore off will clean restore points

the draw back is you wont have any restore points

however you you can turn it back on and new restore points will be created

so turning it off is good in this situation

but after you restart your computer turn system restore back on

once those restore points are gone the change is irreversible

only new ones will be created with downloads and installs not too mention system point check

 

I'll shut down system restore. I went into the regedit and just looked didn't change anything at this point.

I reference to the steps outlined in the link to trendmicro in steps 1 & 2 I didn't find any of the entries it wanted me to delete. In steps 3 & 4 I found the entries but they weren't quite the same as on trend so I'm not sure if I should edit it or not. An example is: Step 3 go down the tree they described and locate

AppInit_DLLs = "%System%\womovire.dll" well when I went down the tree what I found was

AppInit_DLLS = C:\WINDOWS\system 32\nepivoyi.dll so my confusion was the "womovire.dll vs nepivoyi.dll"

and step 4 was similar almost the same values but not quite.

I'm wondering if I should shut off system restore rescan and do a hyjack? I don't really want to mess up the registry. I feel confident in editing it if I'm sure I've got the right values.

Link to post
Share on other sites
Wademan

Wademan

Posted
Posted

Hello'ADubois'

At this point I agree you need HJT So : Download HJT from Here

You can read what HJT is an does Here

 

 

Save HJTInstall.exe to your desktop.

Double-click on HJTInstall.exe to run the program.

By default it will install to C:\Program Files\Trend Micro\HijackThis.

Accept the license agreement by clicking the "I Accept" button.

Click on the "Do a system scan and save a log file button. It will scan and then ask you to save the log.

Click "Save log" to save the log file and then the log will open in Notepad.

Click on Edit-> Select All then click on "Edit -> Copy" to copy the entire contents of the log.

Next, Go to this forum Here to start a new thread right click and Paste your log there.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

 

After you post the log an are getting help from our TrustedAdvisors do nothing else to your pc until they have completed the clean up process. Please be patient once you post the log in our HJT forums as they are very busy, they will take your case ASAP.

 

We Will get you fixed. :)

 

Wademan

Link to post
Share on other sites
ADubois

ADubois

Posted
  • Author
Posted

Hello'ADubois'

At this point I agree you need HJT So : Download HJT from Here

You can read what HJT is an does Here

Save HJTInstall.exe to your desktop.

Double-click on HJTInstall.exe to run the program.

By default it will install to C:\Program Files\Trend Micro\HijackThis.

Accept the license agreement by clicking the "I Accept" button.

Click on the "Do a system scan and save a log file button. It will scan and then ask you to save the log.

Click "Save log" to save the log file and then the log will open in Notepad.

Click on Edit-> Select All then click on "Edit -> Copy" to copy the entire contents of the log.

Next, Go to this forum Here to start a new thread right click and Paste your log there.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

 

After you post the log an are getting help from our TrustedAdvisors do nothing else to your pc until they have completed the clean up process. Please be patient once you post the log in our HJT forums as they are very busy, they will take your case ASAP.

 

We Will get you fixed. :)

 

Wademan

 

Ok

Thank you

Alan

Link to post
Share on other sites
Wademan

Wademan

Posted
Posted

Hello Adubois,

Good job on posting the HJT log in our HJT forum, remember do not post to your own post there until a TrustedAdvisor has taken your case, they will get to you ASAP. I will keep an eye on it. :)

 

Wademan

Link to post
Share on other sites
mme

mme

Posted
Posted

I see you got some excellents instruction on posting a hijackthis log in the malware forum.And your infection will be dealt with and cleaned out

 

TAKE CARE

Edward

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Followers 0
Go to topic listing
×
×
  • Create New...