Rootkit removal please help I feel like tearing my hair out

[hre2stay]

My antivirus has a rootkit scanner but it finds them but cannot get rid of them as it is hidden. If I delete said file another one pops up. I am running rootkit revealer but even that it seems to hijack.

I am close to banging my head against the screen with this F'ing thing.

I keep getting BSOD IRQL_NOT_LESS_OR_EQUAL. Something like that anyway. Now all my drivers are ok and having done a scan for rootkits have found this "C:\WINDOWS\System32\Drivers\a6dkvma6.SYS";"Hi dden driver";"Object is hidden"

Only thing is if I delete it another one appears and I cannot seem to find it in the system32 file myself for some reason. How can I rid my machine of this thing?

Also my C: drive has turned blue on the my computer screen. Can anyone help?

Also system idle process is constantly on 90 something

[BC_Programmer]

First- is your drive ICON blue, or just the text? If it's just the text it is simply an indicator that the volume is compressed, so no worries with that.

As far as your rootkits, We will leave that to the malware experts- In the meantime, can you run through the guide here- attach the three guides to your post.

[evilfantasy]

What's up with the link to the drugs forum

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[hre2stay]

Sorry about that don't know what happened there here is the 3 logs that you need.


I have done all the things that you required. Hope you guys can help

Here is some more error data

0040 BCP2: 02000000 BCP3: 80000000
BCP4: 00000000 OSver:5_1_2600 SP:3_0 Product 768_1

C:\DOCUME~1User\LOCLS~1\Temp\\WER9990.dir00\Mini021209-02.dmp
C:\DOCUME~1User\LOCLS~1\Temp\\WER9990.dir00\sysdata.xml

Bad_pool

A device driver attempting to corrupt the system has been caught. Faulty driver on kernel stack must be replaced.

ntfs.sys address f747c356 base at f745b000 datestamp 48025be5


HLKM\SECURITY\Policy\Secrets\SAC*
HLKM\SECURITY\Policy\Secrets\SAI*
HLKM\SYSTEM\ControlSet008\Services\sptd\Cfg

and some data that

[attachment deleted by admin]

[evilfantasy]

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O2 - BHO: (no name) - {5315B925-3A4A-3FAF-8535-D826ADB5EE6A} - (no file)
- O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
- O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[hre2stay]

Hi I have done that. Combofix log is attached 

[attachment deleted by admin]

[evilfantasy]

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:files
c:\windows\hpoins06.dat.temp
c:\windows\hpomdl06.dat.temp

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

Download Lop S&D by Eric_71 and save it to your Desktop. Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.

• Double-click Lop S&D.exe
  
• Choose the language by typing of the corresponding letter and press Enter
• Click OK at the informative window
  
• Type 1, to choose Option 1 (Search) then press Enter
  
• Wait until the end of the scan
• A report will be generated, post the contents of it in your next reply.

A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt

[hre2stay]

Here is the move it log

[attachment deleted by admin]

[hre2stay]

Here you go there is the orter one too

[attachment deleted by admin]

[evilfantasy]

Your going to have to remove the Cracks & Keygens before I can continue helping.

* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:files
C:\DOCUME~1\User\Application Data\Microsoft\Office\Recent\Football Manager 2008 (PC) + crack.LNK
C:\DOCUME~1\User\My Documents\Football Manager 2008 (PC) + crack
C:\DOCUME~1\User\My Documents\Football Manager 2008 (PC) + crack\
C:\DOCUME~1\User\My Documents\LimeWire\Saved\Leftover Crack - Heroin or Suicide.mp3

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

[hre2stay]

I have got rid of all of those I think



[attachment deleted by admin]

[evilfantasy]

Download GMER and save it to your desktop

• Unzip (extract) it to your desktop.
• Disconnect from Internet and close all running programs.
• There is a small chance this application may crash your computer so save any work you have open.
• Double-click gmer.exe to run it.
  
• Let the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO
  
• Click the Rootkit tab.
  
• Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
  
• Then click the Scan button. Wait for the scan to finish.
  
• Once done, click the Copy button.
  
• This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop.
  
• Add this log to your next reply.

NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.

[hre2stay]

It wont let me post the logs it says the are too large

[hre2stay]

Number 1

[attachment deleted by admin]

[hre2stay]

Number 2

[attachment deleted by admin]

[hre2stay]

Number 3

They might not all be in the exact order they were. If this is a problem I still have the original

[attachment deleted by admin]

[ale52]

In my experience it's best to save your data and reformat.  Rootkits are almost impossible to completely get rid of.  Good luck trying all the other things.

Alan <>< 

[evilfantasy]

Rootkits are almost impossible to completely get rid of.

Only to an untrained eye...

How is the computer running now?

[ale52]

"Only to an untrained eye..."  You are absolutely right   I'm glad there are folks that can take the time to diagnose and get it fixed.  Unfortunately for me I don't have that luxury as everyone wants it NOW. 

Thanks for taking the time.

Alan <>< 

[evilfantasy]

At premium rates it's too expensive for the customer. Here we have the luxury of time.

I haven't met a rootkit in a forum setting I couldn't find.... yet!

Besides, not to insult hre2stay, but usually when someone says they have a rootkit it usually isn't the case. They are way harder to detect/notice then they are to find/remove

[hre2stay]

I ran AVG8 rootkit scanner and that was what told me it was a rootkit. I am fairly experienced and can get rid of most viruses but this had me flummoxed. Anyhoo what would you like me to do next?

[evilfantasy]

Can you run a new scan get a log from AVG Antirootkit?

[hre2stay]

Ill try but it usually gives me a BSOD

[evilfantasy]

Are you sure that the file path was right from the first post?

C:\WINDOWS\System32\Drivers\a6dkvma6.SYS

[hre2stay]

Yeah that was the 1st 1. When deleted it duplicates itself

Its scanning now n came up with this one

C:\WINDOWS\System32\Drivers\aowla604.SYS

[evilfantasy]

I'm not sure these are rootkit files.

Run GMER again please. Read the instructions carefully please. I don't need the whole log from the default settings.

Download GMER and save it to your desktop

• Unzip (extract) it to your desktop.
• Disconnect from Internet and close all running programs.
• There is a small chance this application may crash your computer so save any work you have open.
• Double-click gmer.exe to run it.
  
• Let the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO
  
• Click the Rootkit tab.
  
• Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
  
• Then click the Scan button. Wait for the scan to finish.
  
• Once done, click the Copy button.
  
• This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop.
  
• Add this log to your next reply.

NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.

[hre2stay]

Having ran GMER again it came out with even more text files. I was pretty sure I hadnt clicked the show all box the 1st time and I hadn't. In fact it wouldnt even let me put a tick in the check box. To prove this I printed the screen. It came up with hundreds upon hundreds of text files again as the picture proves.

http://i22.photobucket.com/albums/b326/Hre2stay/GMERscreenshot.jpg

Attached are the REG items it came up with. I didnt bother adding the text files as there were hunderds again


[attachment deleted by admin]

[evilfantasy]

I don't know why it's coming out like that. It should be something  like this.

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-24 12:10:19
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT \??\C:\WINDOWS\system32\vsdatant.sys ZwConnectPort
SSDT \??\C:\WINDOWS\system32\vsdatant.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [BA437E90] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BA437E90] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CREATE [BA431B50] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CLOSEIRP_MJ_READ [BA431B50] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_INTERNAL_DEVICE_CONTROL [BA431B50] vsdatant.sys

---- EOF - GMER 1.0.10 ----


Download Panda Anti-Rootkit.zip

* Unzip it and run the PAVARK.exe file.
* Tick the box that says In depth scan and follow the on screen instructions.
* Let me know the results in your reply.

[hre2stay]

Will it run in safe mode because if not its likely to BSOD

[evilfantasy]

It should run in safe mode.

[hre2stay]

Done that and it found no rootkits 

[evilfantasy]

I didn't think it would.

We can do another scan to be sure. It will take a while but should put your mind at ease.

Run the F-Secure Online Scanner for Viruses, Spyware and RootKits.

Note: This Scanner is for Internet Explorer Only!

• Click on Online Services and then Online Scanner
  
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
  
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
  
• Click the Show Report button and Copy&Paste the entire report in your next reply.

[hre2stay]

Scanning Report
Friday, February 20, 2009 23:28:25 - 01:04:35

Computer name: MR-F7ADB6866673
Scanning type: Scan system for malware, rootkits
Target: C:\ F:\
Result: 3 malware found
TrackingCookie.2o7 (spyware)

    * System

TrackingCookie.Doubleclick (spyware)

    * System

TrackingCookie.Webtrends (spyware)

    * System

Statistics
Scanned:

    * Files: 29726
    * System: 2849
    * Not scanned: 7

Actions:

    * Disinfected: 0
    * Renamed: 0
    * Deleted: 0
    * None: 3
    * Submitted: 0

Files not scanned:

    * C:\PAGEFILE.SYS
    * C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
    * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
    * C:\WINDOWS\SYSTEM32\CONFIG\SAM
    * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
    * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
    * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

    * F-Secure USS: 3.0.0
    * F-Secure Hydra: 3.6.8511, 2009-02-20
    * F-Secure AVP: 7.0.171, 2009-02-20
    * F-Secure Pegasus: 1.20.0, 1970-00-01
    * F-Secure Blacklight: 0.0.0

Scanning options:

    * Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
    * Use Advanced heuristics

[evilfantasy]

All that was found is cookies.

TrackingCookie.2o7 (spyware)

TrackingCookie.Doubleclick (spyware)

TrackingCookie.Webtrends (spyware)

I never did put much faith in the AVG Antirootkit scanner. I think it's safe to say I was right..

[hre2stay]

The AVG is still finding "C:\WINDOWS\System32\Drivers\azrbl4oh.SYS";"Hidden driver";"Object is hidden"

If I still get BSOD do you think I should format the drive?

I knew it was a problem with the drivers and I blamed the printer at first. One of the 1st blue screens said it was a driver problem and something to do with the kernel stack. I have uninstalled just about everything and the problem persists so it can't be any legitimate drivers

[evilfantasy]

There aren't many unknown rootkits out there and whatever AVG is hitting on I think is not a rootkit but a system file it sees as malicious. A false positive.

Although I could be totally wrong so you might want to ask in the AVG Anti-Rootkit forum why it's doing this.

[hre2stay]

Ok many thanks for all your help. You've been brilliant.

Thank you

[evilfantasy]

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
.
The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

1. Double click OTMoveIt3.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt3

----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

---------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[hre2stay]

Its still ll messed up. Another anti virus keeps coming up with sptd.exe as a problem and also OSA09.sys. Anyway looks like I am going to have to format after all.  I have a problem though I would like to backup my drivers but as this is seemingly where the problem lies I will not be able to do this. Will I be able to find the drivers easily enough after formatting?

[evilfantasy]

Another anti virus keeps coming up with sptd.exe as a problem

What is another antivirus?

Do you have virtual drives or daemon tools installed?

[hre2stay]

Yes and unfortunately I cannot delete it because I deleted all those files before. So its kind of stuck on the system

[evilfantasy]

It's not malware, it's a Daemon Tools file.

Download  FindFile by Atribune

1. Extract the contents to your Desktop
2. Double click on FileFind.exe to open the program.
3. In the File: box enter sptd.exe
4. Click on the Search button.
5. Wait. If any files are found, a list of file locations will appear in the List of Files: box.
6. Click on the Export button.
7. This will open a Notepad file named Export.txt. Copy and paste it to your next post please.

There will also be a copy of the Export.txt saved in C:\Export.txt

Also repeat the above steps for OSA09.sys