Rootkit Issue-Please Help

[JayceAce23]

Please help.....seems I am helpless to The rootkit running my system....I have scanned with everything and done ALL I can to remove myself...figured it was time to call the professionals....I am attaching my logs and please let me know what other info I can provide.

[Rene-gad]

1. Pls. READ the rules and attach only 3 files, which are described in the chapter Analysis
2. Remove ALL SECURITY PROGRAMS besides only ONE antivirus program (NIS or AVG - whatever you want)
3. All of cure tools are to start only AS ADMINSTRATOR

Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore

- Execute following script in Manual Cure

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 StopService('RJNDKCMNS');
 StopService('TD');
 QuarantineFile('C:\Users\Rockstar\AppData\Local\Temp\RJNDKCMNS.exe','');
 QuarantineFile('C:\Users\Rockstar\AppData\Local\Temp\TD.exe','');
 DeleteFile('C:\Users\Rockstar\AppData\Local\Temp\TD.exe');
 DeleteFile('C:\Users\Rockstar\AppData\Local\Temp\RJNDKCMNS.exe');
 DeleteService('TD');
 DeleteService('RJNDKCMNS');
BC_ImportAll;
ExecuteSysClean;
 BC_DeleteSvc('TD');
 BC_DeleteSvc('RJNDKCMNS');
ExecuteRepair(13);
ExecuteRepair(14);
BC_Activate;
RebootWindows(true);
end.

After reboot:

- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool cleanmgr or CCleaner or ClearProg
- Close all the programs and start only Internet Explorer!!!
- Repeat 3 log files.
- Switch Antivirus and, if you have - Firewall, on.
- Go On-Line
- Upload the quarantine.zip over the link Upload quarantined files on the top of this page.
- Attach 3 log files to your new post..

[JayceAce23]

My apologies for the breach of rules and the delay....thank you for helping...

I was a lil confused at first and I think I now have exactly what you requested. Please let me know if I missed anything and or the next step.

[drongo]

I don't see your quarantine, and you didn't attached avz's logs

[JayceAce23]

Oops....uploaded the logs on the quarantine link....I'm sorry. Nothing in the quar files viewer....here as requested are the other two logs.....

these are the logs generated after following instructions listed above....again my apologies....got a bit confused on what was doing.

Thanks for your help....

[Rene-gad]

All of cure tools are to start only AS ADMINSTRATOR

- Open file c:\windows\system32\drivers\hosts with any text editor, e.g. Notepad, and remove all strings after

127.0.0.0 localhost

and save the file. ATT! This file should not have any extension!!!

- Execute following script

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('c:\windows\system32\wpclsp.dll','');
 QuarantineFile('C:\Windows\System32\avgrsstx.dll','');
 DeleteFile('C:\Windows\System32\avgrsstx.dll');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After reboot:

- Repeat 3 log files.
- Upload the quarantine.zip over the link Upload quarantined files on the top of this page.

[JayceAce23]

Logs as requested

[Rene-gad]

ONCE MORE!

- Open file c:\windows\system32\drivers\hosts with any text editor, e.g. Notepad, and remove all strings after and save the file. ATT! This file should not have any extension!!!

- Repeat 3 log files.

[JayceAce23]

I did do that...went back and looked again....saved it as hosts.txt.....I went and attempted to save Hosts file using notepad, wordpad, word, etc....after editing as you said...and it told me that I do not have permission to do this....seems my permissions may be changed......I started ALL editors as admin tried file open to get there, also went thru Explorer to get there.....

Am I missing something as It won't let me save in that folder.

[Rene-gad]

...saved it as hosts.txt.

You have only to switch an arrow at File Type from Text into All Files, so you could save it without extension or with any one.
Otherwise rename hosts into hosts.old and then - hosts.txt into hosts.

[JayceAce23]

I did change file type to all files....I get an error message saying I do not have permission to save there.

The hosts file on my pc is actually located at c:\windows\system32\drivers\etc

I tried to save it as you said, switched to all files named simply hosts in both the c:\windows\system32\drivers\etc and c:\windows\system32\drivers\

both times I got the error saying I do not have permission to do this to contact Administrator.

[Rene-gad]

I do not have permission to save there..

Really you don't - it's Vista and you need the administrator rights for changings in the system area.
I'm sorry, I'm not a Vista -Specialist, but I suppose - you can ask any such one in another forum or NG.

[JayceAce23]

Thank you for your patience with me....I've had several issues...

1-the hosts file was locked...I was able to edit it bck to normal with spybot and then uninstalled spybot and attempted to repeat log files per instructions

2.I repeated the steps you requested. However when performing std. script Healing/Quarantine and Adv. Sys Analysis I keep getting an Appcrash error with AVZ. I redownloaded it and was able to get thru a scan once...on 6-14 with it....tried again today and more app crash errors...so I am attaching 6-14 and 6-15 quarantine.

3. Logs are attached as requested. I do not have the most updated syscure.zip due to the app crash errors and I cannot get thru a scan for that one....

Thank you again for your patience...please give me next step....

[Rene-gad]

- Execute following script in Manual Cure

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 StopService('blbdrive');
 QuarantineFile('C:\Windows\system32\drivers\blbdrive.sys','');
 DeleteFile('C:\Windows\system32\drivers\blbdrive.sys');
 DeleteService('blbdrive');
BC_ImportAll;
ExecuteSysClean;
 BC_DeleteSvc('blbdrive');
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.

After reboot:

- Repeat 3 log files.
- Upload the quarantine.zip over the link Upload quarantined files on the top of this page.

[JayceAce23]

Well here's two of the three....can't seem to get AVZ to complete the Healing/Quarantine-Advanced System Analysis

I keep getting appcrash errors.....and it gives me the option to either close the program or check online for a solution and close the program...

Have done this scan 5+ times....including after running the script you wrote and rebooting as per instructions....scan is done with firewall and antivirus disabled and offline per your instructions as well.

[Rene-gad]

I cannot find any suspicious item .
If your problem shouldn't be solved - try to make logs with a special avz (s. link in my signature). Database update for it isn't possible.