How to solve error message “Rootkit activity”

[Mandarmalika]

Hello everyone, I think I have made my computer very bad, I am suffering from very bid issue. I ran Combofix and it popped up with error saying that “combofix has detected rootkit and need to restart the system”. When I restarted the system and after many stages of scan it replied me with below logs:

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 06:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2007-12-22 23:03 916240 ----a-w- c:\program files\Eraser\Eraser.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-04-30 02:37 136176 ----atw- c:\documents and settings\Jim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
2005-05-03 03:38 64512 ----a-r- c:\windows\system32\P17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-12-09 10:45 74752 ----a-w- c:\program files\Winamp\winampa.exe

So can anyone tell me what does it means? And how to solve this error. Thanks a lot in advance!

[Ekpah]

Well in this case I have one solution for you which can be helpful for you to solve this error. When you run your Computer, just download ASWMBR (511KB) software and follow the below given instruction:

• Install that software by double clicking on it
• You can see scan button, click on scan and start the scan
• After completing the scan it will give you log
• When you get the log again reply me with those logs, then I will come to know that what is the main problem.

[Mandarmalika]

Hey thanks for the reply, I did exactly which you told me to do, see below logs:
aswMBR version 0.9.5.256 Copyright(c) 2011 AVG Software
Run date: 2011-05-12 10:23:52
-----------------------------
10:23:52.637 OS Version: Windows 5.1.2600 Service Pack 3
10:23:52.637 Number of processors: 1 586 0x806
10:23:52.637 ComputerName: JIMPUTER UserName: Jim
10:23:53.659 Initialize success
10:23:57.793 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
10:23:57.793 Disk 0 Vendor: WDC_WD400BB-75JHC0 06.01C06 Size: 38146MB BusType: 3
10:23:57.793 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
10:23:57.793 Disk 1 Vendor: WDC_WD400EB-00JEF0 13.03G13 Size: 38166MB BusType: 3
10:23:58.826 Disk 0 MBR read successfully
10:23:58.826 Disk 0 MBR scan
10:23:58.826 Disk 0 unknown MBR code
10:23:59.829 Disk 0 scanning sectors +78108030
10:23:59.869 Disk 0 scanning C:\WINDOWS\system32\drivers
10:23:59.128 Service scanning
10:23:59.290 Disk 0 trace - called modules:
10:23:59.300 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
10:23:59.300 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8238cab8]
10:23:59.300 3 CLASSPNP.SYS[f8576fd7] -> nt!IofCallDriver -> \Device\00000055[0x823922a0]
10:23:59.650 5 ACPI.sys[f84ed620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x82398d98]
10:23:59.650 Scan finished successfully
10:24:00.023 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jim\My Documents\MBR.dat"
10:24:00.073 The log file has been saved successfully to "C:\Documents and Settings\Jim\My Documents\aswMBR.txt"

[Ekpah]

Hey I have gone through to your log and I have some solution for you. I gave that software to know about the MBR records, and one good news that your system didn’t found any MBR Code. So that you will be easily able toreinstall in the futiure if we rewite the master boot record. I think your system is using hidden recovery partition, which is probably a rootkit, unless you have other boot manager installed, it will be risky to recover it. What you can do is you can just repair the Windows from Disk. It will solve your error. All the Best!

[Aleksandra]

Hey friends, I have an alternative solution, for that reason you will need to follow the below instruction:

• Download TDSSKiller.exe & save it on your computer
  
• Extract its contents wherever you want
• Double-click the TDSSKiller Folder on your desktop
• Double-click on “TDSSKiller.exe” to run the tool for known TDSS variants.
• If you have Windows 7 then right-click and select Run As Administrator
• Click Start scan
• A box will appear saying System scan completed
• If any Malicious objects are found, click the default action Cure > Continue > Reboot now

Using this way you will be able to solve your problem.