Help with Hijacking and a Trojan

Started by Marikir, April 17, 2012, 09:43:49 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Marikir

April 17, 2012, 09:43:49 PM
I need some advice from anyone out there.  My wife's old laptop was running slow and I started examining it.  I've found that it has some Trojan of some type on it, but the scans I do only identify it as a generic one.

Also, the browsers have been hijacked.  Like bad.  I try and go to www.google.com/ig and I get a 404 error, which I KNOW is wrong.  Hell, I was on the site on my phone.  So, I know it's being hijacked by something.  I've checked the HOSTS file and found no extra entries, so it seems that the problem isn't the regular HOSTS file.

I guess what I'm asking for are ideas on what to try or, if necessary, what would be a good website to post my issues in.  I'm fairly knowledgeable about computers, but I basically know enough to be really dangerous with my own computers. 

Note: Her computer is now running the free version of Adaware's Virus and Malware software.  I've also run CCleaner on it, as well as MyDefrag in an effort to make it run faster.  Yes, I know the last one won't fix anything, but in the interest of full disclosure, I thought I'd mention it.  I've downloaded HijackThis but haven't run it yet.

Autumn Sativus

#1
April 17, 2012, 10:21:07 PM
Have you tried Malware Bytes yet? In the past I also had good luck with SpyBot Search&Destroy (this might help more with the hijacking issue).
Us against the world
Just a couple sinners making fun of hell

~~A&A(updated March 2021)~~Tales~~Wants~~O&O~~Wiki~~

Marikir

#2
April 17, 2012, 10:31:32 PM
I've downloaded MalwareBytes, but haven't run it yet.  I'll download Spybot as well.

Should I run those from Safe Mode?  I've read that's the best place to try stuff from, so I figure I'll do that.  Also, should I do the "renaming" trick?

Thanks for the initial suggestions, though.  Something new to try.

Lady Quixote

#3
April 18, 2012, 11:33:58 PM
You might also try some of the security companies free cleaners too, they tend to do a good job of at least IDing the Trojan.  Programs like Trend Micro's House Call and McAfee's Stinger.

I would try running them in Safe Mode if you can, but you'll most likely have to install them outside of Safe Mode if they are msi files (Safe Mode does not load the Windows Installer components used to make MSI's install).

So obviously the best way to make sure it's gone would be to reimage the PC but that would mean losing any non-backed up files, so it's a last last last resort tactic (the only tactic lower than that is buying a new PC because fixing the old one is too much of a hassle...I've not found anyone who tries this as a first step).

After things get cleaned you may want to look at a different Anti-Virus solution, my two cents is it use Microsofts Security Essentials if the PC can run it.  I have several good experiances with it on my 3 PCs at home and it has gotten good reviews from eWeek. 

Matt

Sarena

#4
April 18, 2012, 11:43:36 PM
I have had very good luck with Microsoft Security Essentials, and, in fact, it is the only thing I use now on all of our computers.  Once (hopefully) you get the laptop cleaned out, MSE works for viruses and spyware. It is free, you just need to have a Windows OS on your computer.  I believe this is one of those things that Microsoft got right.  (no offense, but we all know Microsoft has had it's issues across the board.)

I wish I could be of more help, but I just thought I would echo mvo33's recommendation for this program.  It has been invaluable for our household computers.
I can go from southern belle to ghetto thug faster than you can say "Bless your heart".
Status:  All caught up and loving it!

Malthas

#5
April 25, 2012, 11:41:13 AM
I know this is a few days old but another program that might be useful to have on your computer to help protect is is Spyware Blaster.   It's a darn handy little thing that helps protect against such things to begin with. 

When one does get a virus or whatnot do try safe mode and run whatever programs you have to try and eliminate the threat, Spybot is indeed a very useful program and it's on my computer at all times.

That said you pay for what you get so the best idea is to buy security software that constantly updated,  Kaspersky or AVG Internet Security/anti virus are both great programs.     You can even buy versions that enable you to use them on up to three computers which is superb for families. 
Make them quiver.  Make them beg.   Make them belong.

Vekseid

#6
April 25, 2012, 01:34:00 PM
Post a hijackthis log? You might need LSPFix

Marikir

#7
April 25, 2012, 09:46:30 PM
As an update, I've run several of the programs mentioned above in Safe Mode and found a number of Trojans, etc.  They were removed by the programs, or at least the programs said they did.  I'm afraid they might return, of course. 

However, it does feel like some progress is being made. 

Next, I'll run the HijackThis program and post the log up for people to look at.  I appreciate all the help so far, it's nice to have others to bounce ideas and the situation off of.


(Oh, and I took a look at that FBI site that talks about that large botnet that got hijacked and then taken down.  Apparently, my wife's laptop is clear of that, so there is that at least.)

Marikir

#8
April 29, 2012, 11:55:16 AM
Oooookay...well, looking at the laptop today has been...interesting.

For starters, MalwareBytes is CONSTANTLY stopping random DLL in system32 and putting them into quarantine.  Also, it's constantly blocking random access attempts to random, possibly malicious websites.

In other words, the laptop is REALLY messed up.


Here's the HijackThis log that I ran while the laptop was up and running. 

Code Select
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:39:08 AM, on 4/29/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware Antivirus\Engine\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\AD-AWA~1\AdAware.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HT.exe
\.\globalroot\C:\WINDOWS\system32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Aware Antivirus] "C:\Program Files\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Felicia Jackson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ddcdddeadeccabdct] "C:\Documents and Settings\All Users\Application Data\ddcdddeadeccabdct.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ddcdddeadeccabdct] "C:\Documents and Settings\All Users\Application Data\ddcdddeadeccabdct.exe" (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup:  WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148256758046
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148256749468
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware Service - Lavasoft Limited - C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Ad-Aware (SBAMSvc) - Sunbelt Software - C:\Program Files\Ad-Aware Antivirus\Engine\SBAMSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 12127 bytes


Fascinating stuff...but I can't parse that.  Not yet at least.  Thoughts and suggestions?

Marikir

#9
May 01, 2012, 11:36:32 PM
Well, looking through the HijackThis code from above, I saw this weird entry.

QuoteO4 - HKUS\S-1-5-18\..\Run: [ddcdddeadeccabdct] "C:\Documents and Settings\All Users\Application Data\ddcdddeadeccabdct.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ddcdddeadeccabdct] "C:\Documents and Settings\All Users\Application Data\ddcdddeadeccabdct.exe" (User 'Default user')

I went to find those and...oddly enough, I couldn't search from them in Regedit.  But, manually, I think I found them.  I have NO idea what those are, so I removed them.  I even went to the supposed location for them and couldn't find any EXE with that name.  I wonder if they are hidden or something?  But I got "show all files" checked in the windows explorer.  So...where the hell are they?  Also, I found mention of a file with a long random letter name in my windows TEMP directory.  Searching for that revealed nothing either.

Regardless, I manually found the entries for that...weird name and deleted them from the registry. 

Now, in safe mode, I'm running Spybot which has found the Babylon.Toolbar...something I thought I had already removed.  I have no idea why my wife got that, but I've heard bad things about it.  I'll try and remove it AGAIN...

More thoughts or suggestions?

Marikir

#10
May 02, 2012, 01:01:55 AM
Oh holy crap...

I'm finally reading something that shows what might be happening.

I'm pretty sure now that this thing has been infected by ROOTKIT.0ACCESS.H


This pisses me off...


Any ideas on what to do to get rid of the damn thing?

jaybee55

#11
May 02, 2012, 06:07:04 AM
Hi Marikir,

I've got good news and bad news...

The good news: There are some decent rootkit detection and removal programs out there.  I'd suggest starting with GMER (http://www.gmer.net/) or Sophos (http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx).  They're both easy-to-use general-purpose tools.  If neither of these does the job you might need something more complex (i.e. more difficult to use).

The bad news: The primary purpose of a rootkit is to allow someone unfettered access to your computer.  This person may have installed a key-logger (to siphon off your passwords), a "legitimate" back door (i.e. undetectable by AVs), a hidden re-infector on a timer (also potentially undetectable), and/or any number of other nasty things.  It's also quite possible that removing the rootkit will completely disable your internet access (a side effect, not an intended consequence).

So I would seriously consider doing the following: 1) Do a backup (user files only!), if possible, scan this backup from a second computer as fully as you can.  2) Reformat your hard drive, then reload the OS/other software, and your backup files.

I know this seems extreme, but having a rootkit means (at the very least) you also have at least one trojan, and like I said before, who knows what else just lying in wait.
Ons and Offs (incomplete)

Marikir

#12
May 02, 2012, 12:50:53 PM
Quick update from my iPhone while at work:

The finally understanding what I was seeing regarding what was the infection might have been the key I needed. I downloaded TDSSKiller (I think that was the name) and ran it in Safe Mode with Networking. It seemed to catch the ZeroAccess stuff. An immediate follow up w MalwareBytes found a couple more...and then nothing. Rebooted into Safe, rescanned with them, and...nothing. Rebooted into Normal mode. Rescanned. Nothing.

No attempts to connect to random IP addresses.

No redirects to a 404 page for www.google.com/ig.

And now, the laptop is showing updates available which it hadn't been just before. In fact, the main update is for SP3 for XP (yes, her system was pretty out of date apparently).

I'm cautiously optimistic. This is her old laptop with a lot of pics on it. We also don't have reinstall disks that I can locate. Hopefully, it's gotten over the main hump. I'll keep scanning it w random tools, etc...but now, at least, I have hope.

jaybee55

#13
May 02, 2012, 02:10:26 PM
Excellent news.  And I'll keep my fingers crossed for you!
Ons and Offs (incomplete)
Print
Go Up Pages1
User actions