[Noviciate]

I suggest you start backing up any important data that you have on the PC. The gromozon rootkit that you had/have is a very nasty piece of work and it may be require you to reformat your PC to be guaranteed malware free.
It is easier to do this rather than to go through the cleaning process, but if you are unwilling or unable to reformat, let me know and we'll see what can be done.
Please be aware that there is no guarantee that the removal process will be successful and it may take some time to carry out the necessary steps for no return.
Let me know what you decide to do..

[Advertisements]

Sorry it has taken me so long to get back to this, but I looked everywhere to find my XP disk. I moved about a year ago and I can find every obsolete cd in my library by the XP disk. Let me know what I can do to get this fix started. I'm ready.

Jason

[steele71]

Sorry it has taken me so long to get back to this, but I looked everywhere to find my XP disk. I moved about a year ago and I can find every obsolete cd in my library by the XP disk. Let me know what I can do to get this fix started. I'm ready.

Jason

[Noviciate]

Download catchme by GMER from here and save it to your Desktop.
Double click it to run the scan.
When it has completed a copy of the results will be saved to the Desktop as catchme.txt - copy and paste it into your next reply.

[steele71]

Done,

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


What is next?

[Noviciate]

Run HJT and click on Open the Misc Tools section.

• Click the Open ADS Spy... button.
• Uncheck "Quick scan (Windows base folder only)"
• Click the Scan button to the left of the Save log... button.
• When the scan has completed, click the Save log... button.
• When the "Save ADS Spy log..." window open, click the Save button.
• The log will be displayed in a Notepad window and when you close it, it will be saved by default to your Desktop.
• Copy and paste the contents of the file adsspy.txt into your next reply.

The problem is GMER blue screen-ing. It's possible that it just doesn't like your PC and there's nothing onboard, but i've only ever seen it do this when there was a nasty interfering.
We are now in the area of "If it can't be seen, is it there?" - not the best place to be!

[steele71]

I get a message that ADS are on NTFS. I am running FAT32 on c: and NTFS on d:

It did not do a scan.

Jason

[steele71]

Sorry it said ADS are only possible on NTFS.

Jason

[Noviciate]

That's OK - you can't have any malicious Alternate Data Streams if your PC is FAT32.
Having called on the services of the great and good for a second opinion, it appears that there have been a few issues with GMER and it's very possible that for whatever reason, it just doesn't get on with your set-up.
I still want a rootkit scan of your system, just to make sure, so will you work through the following and see if this one produces a log:

1) Download rootkitrevealer.zip from here and save it to your Desktop.
You will need to extract the file(s) from the zipped folder.

To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish

You should now see the contents of the rootkitrevealer folder.

2) Log off from the internet and disconnect your modem cable.

3) Exit all applications and keep the system otherwise idle during the RootkitRevealer scanning process.

4) Double click RootkitRevealer.exe and click the Scan button to run it.
When the scan has completed, click on File > Save... and then click on the Save button.
The report will be saved as RootkitReveal.txt in the C:\Windows\System 32 folder - copy and paste it into your next reply.

[steele71]

I ran rootkitrevealer as described. It got hung-up scanning HKLM\SYSTEM\WPA\SigningHash-XT33R8KXVF2JY7 and the hard drive kept spinning.

Is this a major problem?

Jason

[Noviciate]

It's hard to say. Sometimes programs crash for no reason, sometimes for a reason.
The nasty you had was the Gromozon rootkit which is particularly unpleasant and sometimes very unwilling to leave a system.
The trouble with rootkits is that they are designed to hide their presence, so that not being able to see them doesn't mean that they aren't there - of course, if they aren't there, you won't see them either!
Having two scanners crash might mean that you still have malware on your system or it could just be that your PC has a particular set-up that upsets scanners - I just don't know. Catchme didn't flag anything and ran OK which is good, but if it was my PC, I wouldn't be totally happy - but then I am cynical!
Given the nature of malware, you are always going to be one step behind the malware writers as it isn't until the infection has been caught that a "cure" can be produced. A rootkit is designed to be undetectable and so if it is well written who will know that it exists?
I'll ask around and see if I can come up with another plan.

[Noviciate]

Can you disable the following programs and see if GMER will scan fully after that: Spy Sweeper, Windows Defender, AVG7.

[steele71]

I removed Windows Defender completely and shut down AVG7 and Spy Sweeper. It still blue screened, but it seemed to be at a different point in the scan.

Jason

[Noviciate]

It looks like you found the bugs in both scanners - apparently both of these are known, and are presumably being worked on by their respective writers.
As long as the PC is behaving OK, you should consider it to be fine - if it isn't, let me know. Sorry it dragged out longer than it actually needed to.

You now qualify for the somewhat belated "All Clear" speech:

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Update your anti-virus program,
Disable System Restore,
Boot into Safe Mode,
Scan your computer for viruses.
When you get the all clear, reboot into Normal Mode.
Re-enable System Restore,
Create a Restore Point.
This will give a clean Restore Point should you need it in the future.
A tutorial for System Restore is available here.

The reason for waiting is that if removing the malware has caused a problem, which it occasionally does, you can put your PC back to how it was before the fix. This will re-install the malware, but an infected PC is better than an expensive paperweight!

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.

[steele71]

Thanks for all your help. I used to be deep into computers, but my job has shifted to retail. I got my MCSE certification in 1999 and I have slowly faded away from being up to speed on security knowledge. Malware wasn't even really talked about back then.

Again, thanks for the help. I will let you know if I have a problem.

Jason