Tech Support Forum - View Single Post

Sempurna · 04-30-2007, 09:31 PM

Hi ThePaper88,

I’m sorry for my late reply. I had lost my Internet access for the last 5 days!

I’d like to check if the pe386 rootkit is still present in your system or not. Please download GMER and save it to your desktop:

Unzip (extract) it to your desktop.
Disconnect from Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click gmer.exe to run it.
Let the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO.
Click the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
Then click the Scan button. Wait for the scan to finish.
Once done, click the Copy button.
This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop. Paste the results in your next reply.

If you're having problems with running gmer.exe, try it in Safe Mode.
This tool works in Safe Mode… other rootkit revealers don't.

NEXT:

Try uninstalling IE, then reinstall it and see if that solves the IE problem.

To uninstall and reinstall Internet Explorer:

Go to Start -> All Programs -> Control Panel -> Add/Remove Programs.
Select Add/Remove Windows Components from the left pane, uncheck Internet Explorer to uninstall it, then click the Next button and follow the prompts to exit.
Please reboot your computer.
Then do the above steps again, but this time check Internet Explorer to reinstall it, click the Next button and follow the prompts to exit.
Reboot your computer one more time to allow the changes to take effect.

NEXT:

To set default security settings for Internet Explorer:

Open Internet Explorer.
Go to the Tools menu, then choose Internet Options.
Click on the Security tab.
Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.

NEXT:

Please go to: VirusTotal

At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to next file:

C:\WINDOWS\nircmd.exe
Click "Open".
Then click the "Send" button at the top of the VirusTotal page.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

The log from the GMER scan.
The report from VirusTotal.
A new ComboFix log.
A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

04-30-2007, 09:31 PM	#11 (permalink)
Sempurna Analyst, Security Team Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Re: Win32.Trojan.RX Hi ThePaper88, I’m sorry for my late reply. I had lost my Internet access for the last 5 days! I’d like to check if the pe386 rootkit is still present in your system or not. Please download GMER and save it to your desktop: Unzip (extract) it to your desktop. Disconnect from Internet and close all running programs. There is a small chance this application may crash your computer so save any work you have open. Double-click gmer.exe to run it. Let the gmer.sys driver to load if asked. If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO. Click the Rootkit tab. Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All". Then click the Scan button. Wait for the scan to finish. Once done, click the Copy button. This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop. Paste the results in your next reply. If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode… other rootkit revealers don't. NEXT: Try uninstalling IE, then reinstall it and see if that solves the IE problem. To uninstall and reinstall Internet Explorer: Go to Start -> All Programs -> Control Panel -> Add/Remove Programs. Select Add/Remove Windows Components from the left pane, uncheck Internet Explorer to uninstall it, then click the Next button and follow the prompts to exit. Please reboot your computer. Then do the above steps again, but this time check Internet Explorer to reinstall it, click the Next button and follow the prompts to exit. Reboot your computer one more time to allow the changes to take effect. NEXT: To set default security settings for Internet Explorer: Open Internet Explorer. Go to the Tools menu, then choose Internet Options. Click on the Security tab. Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings. NEXT: Please go to: VirusTotal At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to next file: C:\WINDOWS\nircmd.exe Click "Open". Then click the "Send" button at the top of the VirusTotal page. This will scan the file. Please be patient. Once scanned, copy and paste the results in your next reply. NEXT: Please REBOOT your computer normally into Windows and post these logs in your next reply: The log from the GMER scan. The report from VirusTotal. A new ComboFix log. A new HijackThis log. (You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software). Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted. __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum