My Anti Spyware

[varun.tyagi]

Hi Patrick,

I am infected with a hacktool.rootkit worm. It has created a backdoor in my PC. I used Malwarebytes anti-malware and it detected ipsecndis.sys and ntndis.sys files as rootkits. The anti-malware asks me to restart in order to delete these files. However, the files could not be deleted upon restarting. Also, the infected sys files are not visible in the system32 and system32\drivers directories. Neither can I manually delete it nor can spybot, malwarebytes, Unhackme types softwares delete it.
P.S.: These files always show up in the anti-malware tools whenever i connect to internet
What should i do?? It is very frustrating.

[12056]

Please download and run GMER Anti-Rootkit from http://www.gmer.net/download.php
NOTE: The exe file is randomly named, to prevent removal by malware!

Run GMER, Under the Rootkit / Malware tab you will see a list of items on the right-hand side of the program.
Check the boxes next to... Services, Files, Registry, Processes, and System then press the scan button.

When the scan is finished, click the save button and save the file to your desktop.

Attach or paste the log file to your next post, so I can help you remove the rootkit.

[varun.tyagi]

Hi,

Thanks for the prompt reply and i apologize for replying so late. After running the application GMER for nearly 2 hours, blue screen errors popped up which states that:
A problem has been detected and windows has been shut down to prevent any damage to your computer.

The problem seems to be caused by the following uwroakoc.sys

PAGE_FAULT_IN_NONPAGED_AREA

............something is written........
If problem persists continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing.

Technical Information:

***Stop: 0x00000050 (0xF7FC2018, 0x00000000, 0xA840ccf8, 0x00000000)
***uwroakoc.sys - Addressss A840CCF8 base at A8401000, Datestamp 4b274f8d

Now what should be done. Should I use ERD and system restore?
Also, GMER shows lot more options than just system, files, services etc. Should i select all the options or just the options written by you in the post. Should i select all the drive or just the C:\ (system drive)???

[12056]

To answer your questions... just the options written by me in the post and C: drive. There is no need to use system restore, etc... unless your computer is very unstable.

If GMER still crashed, download SysProt from http://files6.majorgeeks.com/files/92ea7d01cd7d6245f19a2da8aa6534b4/spyware/SysProt.zip
Extract the files to your desktop, (or other easy to locate folder), Run the file SysProt.exe, When the program start you will see tabs at the top, select the "log" tab...

Under "Write to log" select all the options: Processes, Kernel Modules, SSDT, Kernel Hooks, IRP Hooks, Ports, and Hidden Files.
At the bottom, check the box next to "Hidden Objects Only", then press "Create Log". When it is done scanning, a log file will be created.

Please attach or post this log file in your next post.

[12056]

Also, I haven't seen a HijackThis log for your machine. This is my fault though

Please download HijackThis 2.0.4 from http://free.antivirus.com/hijackthis/
When you run HijackThis, you will be prompted with several options, select "Do a system scan and save a logfile".

HijackThis will quickly scan your machine a create a log file (the log file will open automatically, when the scan is finished.)
Please attach or post this log in your next post.

[varun.tyagi]

Hi 12056,

I'll do it asap and will post you the results

Best regards,
Varun

[12056]

Thanks, the information in HijackThis logs is very important... It gives me detailed information about your system.

[varun.tyagi]

my hard luck. The net connection is down. I am replying u thru my mobile phone. I have created the log files and will update u as soon as the connection is restored. I'll try to attch the files thru phone, if possible.
I m really sorry

[12056]

No problem... If you have a "thumb drive" you can copy the log files and take it to another computer and upload them, if possible also.
Whatever works, and whenever.

Best of Luck

[varun.tyagi]

Thanks buddy!!!

The internet problem these days is pathetic in here.
I will do it in the morning tommorrow, as it is late night here in India.
Thanks for extending help. Will see ya 2morrow. Have a good day to u

Enjoy!!!

[varun.tyagi]

Hi this is SysProtLog file

[varun.tyagi]

Hi,
This is Hijackthis log file

[12056]

Thanks for the logs, I was able to locate some more malicious items...

To remove them...
Re-run HijackThis, check the boxes next to:

Code: Select all

   O23 - Service: VHCXNNYJUA - Unknown owner - C:\DOCUME~1\Administrator\Local Settings\Temp\VHCXNNYJUA.exe (file missing)
   O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
   O2 - BHO: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
   O4 - HKUS\.DEFAULT\..\Run: [M5T8QL3YW3] C:\WINDOWS\TEMP\Fp1.exe (User 'Default user')
   O4 - HKUS\S-1-5-18\..\Run: [M5T8QL3YW3] C:\WINDOWS\TEMP\Fp1.exe (User 'SYSTEM')


Then press the button labeled "Fix Checked Items".

[12056]

SysProt didn't find any rootkits, I wonder if MalwareBytes removed them...

I want you to run Dr Web's CureIt! from http://www.freedrweb.com/download+cureit/, once you accept the agreement your download will start.
Once downloaded, double click it. Run an Express Scan, remove any infected items found, and post a log file in your next post.

[varun.tyagi]

Hey buddy,

I scanned it with Dr. Web. Please find attached the log file for the same.