# Virus - Please solve me how to deal with this virus



## freebird_9924 (Sep 16, 2009)

Check screenshot plz..

I dont know how my pc infected with it but i've bit defender total security 2009 & scanned quick system scan..

it's not showing any virus

*but after everytime i start my pc and open internet explorer/maxthon and open my mail and some sites, bitdefender shows me that it was attacked by virus and it has deleted that file..but again same cycle repeats after each time i start my pc and internet explorer and open sites..


this is since 4-5days only..

and i tried to go to c:/windows/temp and c:...../appdata/temp and tried to delete that fgile manually but i was not able to do it..

Instead sometimes when i tried to do so, it's showing blue screen and restarts.

Sometimes it's showing w7services.exe virus after startup & it's requesting to connect but i blocked it using bitdefender and deleted from startup.

and i've even observed since this 3-4days only i'm facing restart windows explorer error frequently.. [i'm using windows vista home premium]*


Please tell me how to permenently solve this problem..virus problem and hopefully it shd solve restart windows explorer problem..

Now please tell me


----------



## Kreij (Sep 16, 2009)

Here is what I would try...
Shut down all apps and anything you have in the tray.
Shut off system restore.
Delete everything from the temp directories. They are, after all, suposed to be temporary files.
Boot into safe mode and run your virus scan.

After it is done, see if you can acccess the registery editor.
If you can, reboot into normal mode and see what happens. Sometimes the viruses will put things in the registry and then try to prevent you from accessing the registry.

Let us know what happens.


----------



## wiak (Sep 16, 2009)

run in safe mode, and clean, check if bitdefender has somekind of antivirus based live-cd like eset sysrescue

you can also try running malwarebytes anti-malware
http://www.malwarebytes.org/mbam.php


----------



## CrackerJack (Sep 16, 2009)

if Kreij solution doesn't work.... if you tried delete it that many times, it's a rootkit virus. Which mean it's a virus embedded a system file. Most likely explorer.exe or winlog.exe. So when the system restarts its added again and again. So using a rootkit cleaner/remover should fix this problem. Just like a virus backup your personal data ex: pics, videos and what not. Not programs!!!


----------



## freebird_9924 (Sep 18, 2009)

CrackerJack said:


> if Kreij solution doesn't work.... if you tried delete it that many times, it's a rootkit virus. Which mean it's a virus embedded a system file. Most likely explorer.exe or winlog.exe. So when the system restarts its added again and again. So using a rootkit cleaner/remover should fix this problem. Just like a virus backup your personal data ex: pics, videos and what not. Not programs!!!



how to do that?
Still my pc is showing similar error after each startup.


----------



## Mussels (Sep 18, 2009)

boot in safe mode and run a real antivirus (such as the nod32 or kaspersky 30 day trials)


If you wont (or cant) do that, then format the PC and reinstall windows.


----------



## freebird_9924 (Sep 18, 2009)

Mussels said:


> boot in safe mode and run a real antivirus (such as the nod32 or kaspersky 30 day trials)
> 
> 
> If you wont (or cant) do that, then format the PC and reinstall windows.



Bitdefender wont work?

So i have to uninstall it and install any of these 2?


----------



## Mussels (Sep 20, 2009)

from memory bitdefender is a decent antivirus, most people like it for its firewall. but its not one of the best - kaspersky and nod32 are trading blows for best antivirus.


----------



## Boyfriend (Sep 20, 2009)

Hello

Install *Kaspersky 2010* on your computer --> Update it (first complete update is *free* even without any trial/commercial key activation) --> Go in *Security+* tab on main GUI --> Click *Create Rescue Disk* --> Next select *Download ISO image from Kaspersky Lab server* and follow the procedure. At the end, explorer will show a folder containing up-to-date ISO image of Rescue Disk --> Burn it on blank CD and boot --> Run complete computer scan. It is Linux based Boot CD.

If above procedure is not possible (what ever the reason), then download Kaspersky Rescue Disk. It is slightly outdated. Burn it on blank CD and boot. Run complete system scan. It should clean most (remember! it is not up-to-date) of those nasty things without messing your OS+Data.


----------



## TheLaughingMan (Sep 20, 2009)

freebird_9924 said:


> I dont know how my pc infected with it but i've bit defender total security 2009 & scanned quick system scan..



Simple.  Virus scanners and virus programs are reactive, not proactive.  This means the virus will come out infect computers, unfortunately yours, and the the virus scanners will be updated to handle the new threat.  It is the nature of the game and applies to all virus scanners.

Fine a Anti-virus program that is updated frequently, does active scans of recently used files, and does some kind of Spyware block (separate program if needed).  Its the best you can do.

I recommend AVG, Nod32 is good, and Clam Windows edition.  I also agree with Mussels.  Restart system in safe mode, run a full system scan using Ccleaner, then your anti-virus program, then your anti-spyware program.  Or format away.


----------



## Boyfriend (Sep 20, 2009)

Isn't it better to run a single solution (I recommend Kaspersky) than AVG+NOD32+Clam AV.


----------



## TheLaughingMan (Sep 20, 2009)

Boyfriend said:


> Isn't it better to run a single solution (I recommend Kaspersky) than AVG+NOD32+Clam AV.



Kinda meant one or the other.  I was just throwing out some different ones I have used and think work well.

To answer the question, yes.  Anti-virus programs don't play nice.  I have had several occassions were friends would have 2 or 3 and one would call the other a virus due to teh number of files it "accessed" matching keylogger.


----------



## Boyfriend (Sep 22, 2009)

First: Virus and keylogger are different things.
Second: An infected system although can be cleaned in safe mode (Full Admin mode with only necessary drivers), but remember many virus are now aware of safe mode and can continue executing in safe mode & hinder removal. The only remaining method which is the best is to boot in another OS (Boot CD) and do cleaning and for this purpose I have found Kaspersky Boot CD much effective and efficient (I have tested Panda BootCD, Avira BootCD, Eset SysRescue). If anyone find Kaspersky 2010 Boot CD difficult to use, then install Kaspersky 2009 edition, and make BartPE (Windows XP based) Boot CD containing Kaspersky AV. That CD can be updated with internet in real time and also give you more options and accessibility.


----------



## Mussels (Sep 22, 2009)

could you link to the kaspersky boot CD, or some instructions for it? i wasnt even aware it existed


----------



## TheLaughingMan (Sep 22, 2009)

Boyfriend said:


> First: Virus and keylogger are different things.



I know, but most virus scanner search for more than just viruses.  And in this case it was a obvious mistake by one virus scanner calling the other's e-mail scanner a keylogger.  In then end usually not a smart thing to have 2 or 3 different Anti-virus programs running at once.

Safe mode takes no addition effort other than a simply restart, so is always a good thing to try first; however, running a scanner from bootable CD is a good alternative to a OS reinstall.


----------



## freebird_9924 (Oct 28, 2009)

*Scanned reports - Showing rootkit virus*

I've scanned using bitdefender and malwarte bytes both.
They are showing rootkit virus but not deleting them on next reboot.

_*Anyway to remove this rootkit virus?*_


Check attached screenshot and malware bytes reports.



> Malwarebytes' Anti-Malware 1.41
> Database version: 2775
> Windows 6.0.6000
> 
> ...


----------



## i789 (Oct 29, 2009)

usually rootkit "virus" is hard to remove and sometimes even though you apparently remove infected files, the backdoors it creates still remain open afterwards. Whoever in control of this rootkit still have access to these backdoors and your system is till compromised even though you removed "infected files". I would suggest you to use either Icesword or Rootkitrevealer to check the condition of your system. To be honest, if your OS kernel is compromised, you may want to just backup everything and nuke this system so no one can access your system through backdoors anymore. Let me know if you need any help


----------



## freebird_9924 (Oct 29, 2009)

i789 said:


> usually rootkit "virus" is hard to remove and sometimes even though you apparently remove infected files, the backdoors it creates still remain open afterwards. Whoever in control of this rootkit still have access to these backdoors and your system is till compromised even though you removed "infected files". I would suggest you to use either Icesword or Rootkitrevealer to check the condition of your system. To be honest, if your OS kernel is compromised, you may want to just backup everything and nuke this system so no one can access your system through backdoors anymore. Let me know if you need any help



Opps. 

Can't i remove rootkit virus by anyother way?


----------



## dir_d (Oct 29, 2009)

theres one program thats super strong but before id use it i would back up EVERYTHING! its called combofix. Ive had a root kit before and it got rid of every trace of it.


----------



## Asylum (Oct 29, 2009)

Ever heard of a Reformat.
The ultimate virus killer.


----------



## freebird_9924 (Oct 29, 2009)

dir_d said:


> theres one program thats super strong but before id use it i would back up EVERYTHING! its called combofix. Ive had a root kit before and it got rid of every trace of it.





Will kaspersky or bitdefender latest rescue cd work?

I dont want to format my hdd and reinstall windows?


----------



## THRiLL KiLL (Oct 29, 2009)

http://www.spywareremove.com/removeRootkitTDSS.html

follow the manual removal steps and dont download the program


----------



## freebird_9924 (Oct 29, 2009)

THRiLL KiLL said:


> http://www.spywareremove.com/removeRootkitTDSS.html
> 
> follow the manual removal steps and dont download the program



Thanks.

But in manual removal, files and process they mentioned, i'm not able to find them on my process/files.

files which are infected in my laptop, i posted in above post with bitdefender screenshot and malwarebytes log.

Please tell me what to do.


----------



## THRiLL KiLL (Oct 29, 2009)

follow this:
http://www.s-t-f-u.com/?p=246


----------



## Steevo (Oct 29, 2009)

submit a hijack this report please, if hijack this won't run then rename the file to something else and run it.


----------



## freebird_9924 (Oct 29, 2009)

Steevo said:


> submit a hijack this report please, if hijack this won't run then rename the file to something else and run it.



i didnt understand.
How to do that?


----------



## DonInKansas (Oct 29, 2009)

Some infections can only be cured by a reinstall of Windows.  This may be one of those times.  Back up your files and reformat.


----------



## ste2425 (Oct 30, 2009)

i hate to say it but i agree with everyone else on the reformat, every time ive had a virus infect main windows stuff its been game over and ive had to nuke it, your lucky you can still access your files to back them up i couldnt.


----------



## freebird_9924 (Oct 31, 2009)

i tried to run kaspersky bootcd but it's not detecting any of my harddrive in my laptop so no benifit.

it detects usb drives though..


----------



## animal007uk (Oct 31, 2009)

Files Infected:
C:\Windows\System32\kbiwkmbitgwgsj.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmciqigqal.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmjwciwovt.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmneckpmii.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmvffpoevc.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmvxepstfk.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\drivers\kbiwkmbjoprotq.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\drivers\kbiwkmoikuyrfl.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\drivers\kbiwkmotaonqts.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmhwubyyih.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmijdcuxsj.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmijhtnyjv.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmjakrmkwx.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmklfwpqur.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmqwmqrnxn.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmrwibvbcs.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmsobtsnwm.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmwsxvowut.dll (Rootkit.TDSS) -> Delete on reboot. 

This basicly tells you where the bad files are so what i would now do.

Make sure system restore is turned of because this keeps copys of dodgy files and if you dont turn it of they will keep coming back.

then manulay goto c:\system32 and manulay find the files in that list and delete them one by one (yes it takes time but better than format of you cant be bothered)

after you have deleted the files in the list restart and run the scan again untill you have fully removed the files.

another usefull scanner i use is the norton online scan its free and does a very good job of findind where dodgy files hide, it willl also give you a list at the end with any viruses or bad files that need to be removed. follow the list and manuly delete.


----------



## 95Viper (Oct 31, 2009)

Try this:http://www.superantispyware.com/onlinescan.html and this(use MS IE for this one):http://onecare.live.com/site/en-US/center/howsafe.htm?s_cid=mscom_msrt

Good luck 



animal007uk said:


> Make sure system restore is turned of because this keeps copys of dodgy files and if you dont turn it of they will keep coming back.



That is a very good point!  I forget that sucker everytime.


----------



## freebird_9924 (Oct 31, 2009)

animal007uk said:


> Files Infected:
> C:\Windows\System32\kbiwkmbitgwgsj.dll (Rootkit.TDSS) -> Delete on reboot.
> C:\Windows\System32\kbiwkmciqigqal.dll (Rootkit.TDSS) -> Delete on reboot.
> C:\Windows\System32\kbiwkmjwciwovt.dll (Rootkit.TDSS) -> Delete on reboot.
> ...



Thanks and i've already tried to delete manually but when i try to do that, it shows blue screen and reboot itself.

Even bitdefender and malware bytes arent able to delete it bcz it's in globalroot.


----------



## animal007uk (Oct 31, 2009)

do you see any of the above files running as a task in task manager?
in the process list>?

if so what happens if you manual end the task? blue screen?

Another thing that might be worth checking is MSCONFIG and see if anything is loading up at the start that is associated with the rootkit.

Start/run/type msconfig look for any dodgy files is the startup tab


----------



## freebird_9924 (Oct 31, 2009)

one file in startup in msconfig which i dont know is  "BDAMonitor application" manufactured by eMPIA techology and command hcwemmon.exe.

I dont know wht is it but doesnt seems like virus..


----------



## oily_17 (Oct 31, 2009)

See if this will help you out any -

http://www.gmer.net/

EDIT: Some tips on running Gmer

Note its name and save it to your root folder, such as C:\.

    * Disconnect from the Internet and close all running programs.
    * Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
    * Click on this link to see a list of programs that should be disabled.
    * Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
    * Allow the driver to load if asked.
    * You may be prompted to scan immediately if it detects rootkit activity.
    * If you are prompted to scan your system click "*No*".
    * Click the "*Rootkit/Malware*" tab.
    * When the Quick scan is finished, click Save, Then browse to save the scan results to your Desktop.
    * Save the file as Results and copy/paste the contents in your next reply.
    * Exit the program and re-enable all active protection when done.

*You do not need to run a scan. Immediately after the program starts, a Quick Scan is performed.*


----------



## freebird_9924 (Oct 31, 2009)

i was able to run this program in safe mode only.
Log file attached.

From this program, it showing root of virus.. this virus is in explorer.exe so it's impossible to remove it without bootscan.????


----------



## TheMailMan78 (Oct 31, 2009)

Have you tried this one yet? Its free and its known to cure things the others can't.

http://www.microsoft.com/Security_Essentials/


----------



## freebird_9924 (Oct 31, 2009)

TheMailMan78 said:


> Have you tried this one yet? Its free and its known to cure things the others can't.
> 
> http://www.microsoft.com/Security_Essentials/



Not available in your country or region


----------



## allen337 (Oct 31, 2009)

I have yet to see mailwarebytes not remove a virus, did you go to the update tab and update mailwarebytes before you scanned?


----------



## freebird_9924 (Oct 31, 2009)

allen337 said:


> I have yet to see mailwarebytes not remove a virus, did you go to the update tab and update mailwarebytes before you scanned?



i've recently installed so not updated but it's detecting rootkit but not removing. "o action can be taken"

so if i update or not, will it make any difference?


----------



## allen337 (Oct 31, 2009)

yes it makes a difference, they update it daily and the one you download is out of date from cnet.com when you get it


----------



## freebird_9924 (Oct 31, 2009)

allen337 said:


> yes it makes a difference, they update it daily and the one you download is out of date from cnet.com when you get it



wht i wanted to say is it will make in detecting trojen and malwares , it shd not make difference in malwarebyte functions.

As it's detecting trojen nothing to do with database though i've just updated it and it hasnt make any difference in terms of deleting trojen which werent being deleted earlier.


----------



## allen337 (Oct 31, 2009)

If you updated mailwarebytes and scanned your system in the last 3 minutes that weve posted you got another problem. It isnt scanning it takes 5 minutes to scan usually, if you dont want to update it live with the virus


----------



## DonInKansas (Oct 31, 2009)

To update Malwarebytes manually, copy this file to a flash drive:

http://www.malwarebytes.org/mbam/database/mbam-rules.exe


----------



## allen337 (Oct 31, 2009)

I just updated and  ran it and this is how long it took a clean system


----------



## Boyfriend (Oct 31, 2009)

It is really astonishing to know that Kaspersky BootCD don't detect hdd of your laptop. I have used it numerous times to clean many desktops and laptops from very clever malwares, which sometimes even render Windows useless due to excess & exhaustive resources utilization.
One more thing to try is here:
Install Kaspersky 2010. Update it and run a complete system scan. Follow the instructions given here. Upload GSI log. Go to main GUI --> Support --> Support tools --> Create system state report. Also upload it to some server (rapidshare, megashare etc.) and give the links here by starting a new thread. Kaspersky experts will suggest method(s) to remove the malware(s) detected. The suggested script they provide can be run in main GUI --> Support --> Support tools --> Excecute AVZ script.
Then Go to Security+ tab --> Microsoft Windows Settings Troubleshoot and follow the recommended actions.
It might seem you lengthy process, but it is one of the best method to skip format of your hdd. Trust me!

You can also upload GSI log and give a link here and I might do the rest of job for you.


----------



## freebird_9924 (Oct 31, 2009)

allen337 said:


> If you updated mailwarebytes and scanned your system in the last 3 minutes that weve posted you got another problem. It isnt scanning it takes 5 minutes to scan usually, if you dont want to update it live with the virus



10-31-2009 06:08 PM & 10-31-2009 06:17 PM
Check time duration.
It's around 10 minutes.
and i've updated malwarebytes.
Screenshot:






I dont want to debate here for statistics but according to my knowledge, if it was detecting virus then it has nothing to do witth update, problem was it was not removing virus. though according to ur advice, i've updated, scanned and no difference.




> Database version: 3065
> Windows 6.0.6000
> 
> 31-10-2009 18:29:58
> ...


----------



## DonInKansas (Oct 31, 2009)

With all the time you've spent on this, you could have been backed up and reinstalled a few days ago.  Sometimes the virus wins, amigo.


----------



## freebird_9924 (Oct 31, 2009)

Boyfriend said:


> It is really astonishing to know that Kaspersky BootCD don't detect hdd of your laptop. I have used it numerous times to clean many desktops and laptops from very clever malwares, which sometimes even render Windows useless due to excess & exhaustive resources utilization.
> One more thing to try is here:
> Install Kaspersky 2010. Update it and run a complete system scan. Follow the instructions given here. Upload GSI log. Go to main GUI --> Support --> Support tools --> Create system state report. Also upload it to some server (rapidshare, megashare etc.) and give the links here by starting a new thread. Kaspersky experts will suggest method(s) to remove the malware(s) detected. The suggested script they provide can be run in main GUI --> Support --> Support tools --> Excecute AVZ script.
> Then Go to Security+ tab --> Microsoft Windows Settings Troubleshoot and follow the recommended actions.
> ...




Seems complicated.
anyways, i'll try it.
Thanks.

Well, kaspersky bootcd was working and it was detecting removable drives but not my internal hdd, may be bcz it is ntfs system.

anyways, thanks.


----------



## freebird_9924 (Oct 31, 2009)

DonInKansas said:


> With all the time you've spent on this, you could have been backed up and reinstalled a few days ago.  Sometimes the virus wins, amigo.



You're right but i'm not spending my time continously on this , i try to do something suggested here once daily or eve3ry few days and if i format, i'll have to reinstall everything, all settings and data will be lost etc..

Mainthing i'm not formatting is bitdefending & malwarebytes are blocking virus tohugh not removing it so it's not making any effect on my laptop performance as far as i know. 

I hope i'll defeat the virus.

Thanks.


----------



## allen337 (Oct 31, 2009)

according to your post it will be deleted on reboot, did you select reboot from mailwarebytes and let it remove it? Run mailwarebytes again and see if it still has a virus

when mailwarebytes gets finished it lets you select all and remove then it asks to reboot to remove them, its asking


----------



## oily_17 (Oct 31, 2009)

When you reboot after running MalwareBytes, you could download RootRepeal

# Open RootRepeal on your desktop.
# Click the Report tab.
# Click the Scan button.
# Check all seven boxes that appear in the pop up window.
# Push Ok
# Check the box for your main system drive (Usually C:\), and press Ok.
# Allow RootRepeal to run a scan of your system.
# Once the scan completes, push the Save Report button. Save the log to your desktop, and post it up.


----------



## freebird_9924 (Oct 31, 2009)

oily_17 said:


> When you reboot after running MalwareBytes, you could download RootRepeal
> 
> # Open RootRepeal on your desktop.
> # Click the Report tab.
> ...




I've o=posted log of many programs.. They are detecting virus..

i'm tired now to use one more program which will just detect that only.

you can check this thread for full log.
http://forums.techpowerup.com/showpost.php?p=1616334&postcount=36



allen337 said:


> according to your post it will be deleted on reboot, did you select reboot from mailwarebytes and let it remove it? Run mailwarebytes again and see if it still has a virus
> 
> when mailwarebytes gets finished it lets you select all and remove then it asks to reboot to remove them, its asking



I did it twice again and it's not deleting it.


----------



## oily_17 (Oct 31, 2009)

freebird_9924 said:


> I've o=posted log of many programs.. They are detecting virus..
> 
> i'm tired now to use one more program which will just detect that only.



The reason I said to try RootRepeal is that it can show hidden drivers/services etc.

You can then use RootRepeal to 'wipe' the file and then hopefully MalwareBytes will be able to clean the rest of the system.

The reason that MalwareBytes is not working at the moment is because these rootkits are designed to stop antivirus/malware programs from running correctly.
If you would like to read more on this then take a look at this -

http://www.malwarebytes.org/forums/index.php?showtopic=12709


----------



## Boyfriend (Nov 1, 2009)

freebird_9924 said:


> Seems complicated.
> anyways, i'll try it.
> Thanks.
> 
> ...



Kaspersky BootCD works well with FAT, FAT32, and NTFS (may be also with Linux file system ext3,4 etc. but I haven't tested). Try it again and I hope it will solve your problem. At least post GSI log. Even the malware (actually a rootkit) is being blocked by bitdefender, you should remove it as soon as possible, as it might have some backdoor which might expose your confidential information/data to outside world. It is already doing its job by hooking important system files and functions. You can't block all those hooks without proper removal.
Does the rootkit has infected master boot record also??


----------



## freebird_9924 (Nov 1, 2009)

oily_17 said:


> The reason I said to try RootRepeal is that it can show hidden drivers/services etc.
> 
> You can then use RootRepeal to 'wipe' the file and then hopefully MalwareBytes will be able to clean the rest of the system.
> 
> ...




Thanks.
Tried to run rootrepeal but after i open it, it's showing following error.

Log:



> 00:32:58: FOPS - DeviceIoControl Error!  Error Code = 0xc0000024 Extended Info (0x000000f8)
> 00:32:58: DeviceIoControl Error!  Error Code = 0x1e7
> 00:32:58: FOPS - DeviceIoControl Error!  Error Code = 0xc0000024 Extended Info (0x000000f8)


----------



## freebird_9924 (Nov 1, 2009)

Boyfriend said:


> Kaspersky BootCD works well with FAT, FAT32, and NTFS (may be also with Linux file system ext3,4 etc. but I haven't tested). Try it again and I hope it will solve your problem. At least post GSI log. Even the malware (actually a rootkit) is being blocked by bitdefender, you should remove it as soon as possible, as it might have some backdoor which might expose your confidential information/data to outside world. It is already doing its job by hooking important system files and functions. You can't block all those hooks without proper removal.
> Does the rootkit has infected master boot record also??



Thanks.

But i tried kaspersky , bitdefender and avast all 3 boot cd but none of them were able to detect my local hdd so wasnt able to scan.

i think only possible way now i have is some app doing bootscan and avast has it , but as i've bitdefender installed i cant install avast together isnt it? and if i'll uninstall bitdefender and install avast/kaspersky, i fear if in between rootkit will damage my data.

how to post GSI log?wht is it?

Thanks.


----------



## oily_17 (Nov 1, 2009)

Not sure what the problem is there !!

The only other thing I can think of is running ComboFix.

**NOTE: ComboFix is a tool used by Malware Experts to help remove infections and I dont have a lot of experience with using it**

If you like I can give you some instructions on running it.

EDIT: You can get info on downloading/running ComboFix here


----------



## Boyfriend (Nov 2, 2009)

freebird_9924 said:


> Thanks.
> But i tried kaspersky ........
> how to post GSI log?wht is it?
> Thanks.



Follow the instructions given *here*. At least provide it. Kaspersky has built in AVZ script, which can be executed to remove severe infections. You don't need to register to post GSI log. I am waiting for the log...


----------



## freebird_9924 (Nov 2, 2009)

Boyfriend said:


> Follow the instructions given *here*. At least provide it. Kaspersky has built in AVZ script, which can be executed to remove severe infections. You don't need to register to post GSI log. I am waiting for the log...




```
http://www.getsysteminfo.com/read.php?file=1b90ebe9dff691da58fea5c760d2dfdd
```


----------



## temp02 (Nov 2, 2009)

Well I could tell you what to do, but that could take a long time, so I used google and got this *very* helpfull topic, read every post and comply with their instructions.

*EDIT*: basically all that you are supposed to do is run ComboFix (the post just "enlightens" you on how to do so). Oh and afterwards post the log here so we can check if it's "clean".


----------



## Boyfriend (Nov 2, 2009)

I have reviewed your GSI log. As no Kaspersky product was installed, no infection report is there. You are using BitDefender 12, Windows Defender, MBAM at the same time. Disable Defender from control panel.
Here are ways to resolve the issue(s):
*1.* I still highly insist to install Kaspersky (don't forget to remove BitDefender and MBAM completely). Update it and let it do it's job. Download Kaspersky AV 2010 (9.0.0.736). It will recommend you to run a *special scan* to automatically remove detected malwares. Just allow it and see the magic.
*2.* Give a try to Panda AntiRootkit. It is automated and has proven working against numerous rootkit, hard to remove from working system. It has helped to remove two rootkits from my client's computer. They are also offering free support. Just download it and disconnect from internet --> Disable system restore to prevent reinfection from recovery point --> Restart system --> Disable BitDefender and MBAM (temporarily for better results, else conflict might appear) --> run a system scan --> let it do it's job and restart. Review the report. Don't forget to enable system restore and AV protection after cleanup.
*3.* Give a try to McAfee Rootkit Detective, AVG AntiRootkit, and Sophos Anti-Rootkit. These are also good and provide free support for rootkit removal. Don't forget to follow above steps (disable system restore.........).
*4.* If all fails, I will only recommended a boot from DVD/Recovery media --> Format C: --> Fresh install --> Don't open any drive (Whether HDD/CD/DVD/Flash etc.) until you have up to date AV to prevent reinfection from unknown infection vector --> Scan both HDD and other storage media.


----------



## freebird_9924 (Nov 2, 2009)

windows defender is already disabled.



> 1. I still highly insist to install Kaspersky (don't forget to remove BitDefender and MBAM completely). Update it and let it do it's job. Download Kaspersky AV 2010 (9.0.0.736). It will recommend you to run a special scan to automatically remove detected malwares. Just allow it and see the magic.



I would like to buy i fear after i'll uninstall and if rootkit will dot allow me to install kaspersky or other antivirus then?



> 2. Give a try to Panda AntiRootkit. It is automated and has proven working against numerous rootkit, hard to remove from working system. It has helped to remove two rootkits from my client's computer. They are also offering free support. Just download it and disconnect from internet --> Disable system restore to prevent reinfection from recovery point --> Restart system --> Disable BitDefender and MBAM (temporarily for better results, else conflict might appear) --> run a system scan --> let it do it's job and restart. Review the report. Don't forget to enable system restore and AV protection after cleanup.



This is last one i'm going to try now. 
tired with fight against rootkit trojen now.



> 3. Give a try to McAfee Rootkit Detective, AVG AntiRootkit, and Sophos Anti-Rootkit. These are also good and provide free support for rootkit removal. Don't forget to follow above steps (disable system restore.........).







> 4. If all fails, I will only recommended a boot from DVD/Recovery media --> Format C: --> Fresh install --> Don't open any drive (Whether HDD/CD/DVD/Flash etc.) until you have up to date AV to prevent reinfection from unknown infection vector --> Scan both HDD and other storage media.



Now if i wont be able to deal with it, i'll fresh install windows again.

Can u check my specs and if windows 7 is ok for me?

Rightnow i'm on Windows vista home premium. Windows 7 will make more slower than vista or same or less?


----------



## freebird_9924 (Nov 2, 2009)

temp02 said:


> Well I could tell you what to do, but that could take a long time, so I used google and got this *very* helpfull topic, read every post and comply with their instructions.
> 
> *EDIT*: basically all that you are supposed to do is run ComboFix (the post just "enlightens" you on how to do so). Oh and afterwards post the log here so we can check if it's "clean".



it has done nothing useful.

just told following 3 infected files.



> c:/windows/system32/drives/kbiwkmbjoprotq.sys
> c:/windows/system32/drives/kbiwkmoikuyrfl.sys
> c:/windows/system32/drives/kbiwkmotaonqts.sys


----------



## TheMailMan78 (Nov 2, 2009)

freebird_9924 said:


> windows defender is already disabled.
> 
> 
> 
> ...



Windows 7 is the same in most areas. However it is snappier in day to day usage.

Without reading all the pages have you run "hijack" yet?


----------



## freebird_9924 (Nov 2, 2009)

TheMailMan78 said:


> Windows 7 is the same in most areas. However it is snappier in day to day usage.
> 
> Without reading all the pages have you run "hijack" yet?



Thanks. so do u recommand me windows 7 over vista and if will not affect speed or performance?

how to tun hijack?


----------



## TheMailMan78 (Nov 2, 2009)

freebird_9924 said:


> Thanks. so do u recommand me windows 7 over vista and if will not affect speed or performance?
> 
> how to tun hijack?



Honestly there is no need for windows 7 if you are already running vista. I enjoy it because its "new" and I like the latest. However in real world use I doubt you'll see any benefit.

Try this man....

http://free.antivirus.com/hijackthis/


----------



## freebird_9924 (Nov 2, 2009)

TheMailMan78 said:


> Honestly there is no need for windows 7 if you are already running vista. I enjoy it because its "new" and I like the latest. However in real world use I doubt you'll see any benefit.
> 
> Try this man....
> 
> http://free.antivirus.com/hijackthis/



I too like new and latest. 

And if i've to format, then y not try latest?

that's y but only thing i concern is speed and performance.
will it improve or it'll slow down further?

attached hijackthis log.


----------



## Boyfriend (Nov 3, 2009)

HijackThis log tells nothing about the rootkit. It is telling that you have even tried combofix with no success. Some missed files entries are also there in your registry.
Have you tried Panda Anti-Rootkit and other Anti-Rootkits? Probably Panda Anti-Rootkit or McAfee Anti-Rootkit will solve your problem.



freebird_9924 said:


> Can u check my specs and if windows 7 is ok for me?
> 
> Rightnow i'm on Windows vista home premium. Windows 7 will make more slower than vista or same or less?



*1.* As you are already running Windows Vista, there should be no problem with spec. During installation, Windows 7 will install most of required drivers without any problem. Still it is best to run this tool from Microsoft. Attach all the peripherals you use, run the Windows 7 upgrade advisor, and see if there will be any compatibility/conflicting issue. It will point you out clearly everything, and if needed will suggest u as well.

*2.* Windows 7 is much lighter and fast than Windows Vista SP2. It also offers numerous advantages over Vista. I am running Windows 7 x64 (Check my spec). I am so pleased and addicted to 7 that sometimes I forgot that I am on XP (at client computer) and trying to get jumplist, Flip3D, and Aero snap . No problem for me at all . All major vendors are already supporting Windows 7 and 64-bit softwares are also there . Give it a try and you will never wish to run Vista again.


----------



## freebird_9924 (Nov 4, 2009)

Boyfriend said:


> HijackThis log tells nothing about the rootkit. It is telling that you have even tried combofix with no success. Some missed files entries are also there in your registry.
> Have you tried Panda Anti-Rootkit and other Anti-Rootkits? Probably Panda Anti-Rootkit or McAfee Anti-Rootkit will solve your problem.
> 
> 
> ...



Thanks.

I tried to run panda antiroot kit but it shows error "OS not supported"

Will try any other 2 antiroot later and reply here.


----------



## freebird_9924 (Dec 2, 2009)

GoodNews friends.

Finally i've won against this bad trojen rootkit.

I dont know how but yesterday i've runned tuneup utilities click maintainance and malware bytes quick scan at a time and malware bytes has detected some trojen files and quarantined them and there were no root files which required to delete on boot and after i restart my laptop and rescan with malwarebyte, there are no trojen now.

So i've beaten bad trojen rootkit finally.  Thanks to all here for advice.


----------



## mdsx1950 (Dec 2, 2009)

If your using a free Antivirus. Use Avira AntiVir (One of the best ive used so far  )

If your using a paid one go for ESET NOD or Kaspersky.

You wont get a virus again ^^


----------



## Espera (Dec 3, 2009)

Glad you fixed the problem.

I remember getting two infected HD's off an XP machine to save the images and documents. Before I connected the HD's via a USB connection I had to disable Auto Run on my Vista Machine and I also setup a parental controlled account to do the scanning, only letting AVG, and Malwarebytes run. Winrar constantly tried to run as well as other unnamed programs but they were blocked by the parental control. It may not have been the full proof method of scanning but it worked. I scanned for 3days straight and found new Trojans and back doors each day, until on the 4th day the list was blank.


----------

