Hi,

2 weeks ago did a fresh (clean) Vista reinstall after old harddrive died.

Notice Avast Quick-scan flagged 339 file as High Severity Rootkit Threat
http://i.imgur.com/Pjr0fZD.jpg They apparently are in my preboot folder and are marked by avast for Delete action. After “APPLY” - the screen indicated ‘Action postponed until the next reboot’. But they weren’t deleted and I suspect is due to ‘Error: Access is denied’ http://i.imgur.com/nd1D8Aw.jpg

Subsequent Boot-time scan and Full-scan did not flagged out any viruses. However a Quick-scan again flagged out the same 339 files with same threat message. Same they cannot be deleted. History of scans here - http://i.imgur.com/tmoOsEg.jpg

Not sure whether are these really high threat malware viruses or some avast false detection.
So any help I can get here will be greatly appreciated.
Thank you folks.

Attach your logs. (MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

Hello InTrouble,

If you need help, instead of the standard procedure we usual use, let’s run system diagnostics with these two powerful tools. That will allow me to quickly ascertain where malware may be running on your machine and how to address it …

=> Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

=> Please download GMER, the RootKit Detector tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ]- save the report to the Desktop (named ARK );

Attach here Gmer logfile. (ARK.txt)

Hello magna86,
Thank you for your help.
Attached are the reports.

Hello,

Good, now I can use their logs to map my strategy.

The primary diagnostic tool FRST does not show the presence of malware nor any sign of RootKit activities. But none the less, GMER does show a few suspicious behavior as well as unknown MBR. This does not necessarily mean the bad RootKit but this requires some comprehensive ARK (aka. antirootkit) attack.

We shall initially deploy FixList to tell the FRST tool to preform some pre-cleaning. Then we shall strike with preconfigured TDSSKiller and configured MBAR. Both tools are ARK based. Let’s start …

— — — — — —

=> Creating FixList script for FRST

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
File: C:\Windows\system32\winrm.vbs
File: C:\Windows\system32\AUDIODG.EXE
VerifySignature: C:\Windows\system32\AUDIODG.EXE
C:\Users\W500-User\AppData\Local\Temp\*.dll
C:\Users\W500-User\AppData\Local\*.tmp
C:\Users\W500-User\AppData\Local\Temp\*.exe
CMD: RD /S /Q %TEMP% 
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

— — — — — —

=> Configuring and running TDSSKiller

Please download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it and then click on Change parameters.

[*] Put a checkmark beside loaded modules.
[*] A reboot will be needed to apply the changes. Do it!
TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.

[*] Then, again click on Change parameters in TDSSKiller.
[*] Check all boxes then click OK.

[*] Click the Start Scan button.

• If a suspicious object is detected, the default action will be Skip, click on Continue.
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

[*] Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”.

[*] Please attache the contents of that file here.

— — — — — —

=> Configuring and running MBAR and preforming the fixdamage.exe fixes

Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
[i]For full instructions how MBAR works, read this article

> Doubleclick on the MBAR file (
http://www.mcshield.net/personal/magna86/Images/mbar.png
) and allow it to run.
• Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
• mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
• After reading the Introduction, click Next if you agree.

• On the Update Database screen, click on the Update button. Once you see ‘Success: Database was successfully updated’ click on Next
• Under Scan Targets ensure all boxes are ticked. Then click the Scan button.

Notice: with some infections, you may see two messages boxes:

• ‘Could not load protection driver’. Click ‘OK’.
• ‘Could not load DDA driver’. Click ‘Yes’ to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

>> If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.

>> If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
• The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.

>> Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe

• Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution …
• When you see “press any key to exit” fix is completed, press any key to close the window. Reboot the system.

> The following reports will be created in mbar folder:

1. mbar-log-year-month-day (hour-minute-second).txt
2. system-log.txt

Please post both logs in your next reply.

Hello magna86,
The tdsskiller.exe did not reboot properly. It just ‘hang’ with the native cmd dialogue box for ages. Re-run a few times and also with re-download of program - same outcome.
Notice the tdsskiller reboot msgbox indicated that it requires extended monitoring driver http://i.imgur.com/dlCDvqv.jpg
Any clue why it did not run?
Tks

Hi,

Could you retry running TDSSKiller without choosing the ‘loaded modules’ options? So reboot the computer and then run again TDSSKiller and just check the boxes for:

- Verify Driver Digital Signature;
- Detect TDLFS file system
- Use KSN to scan objects

…and then preform the Scan. Se if that will work? If not, just skip TDSSKiller step and continue to MBAR.

Hi magna86,
Run tdsskiller as your advice.
Both nothing detected. Attached 2 logs.
Running MBAR now.
Thanks for your help.

Attached MBAR logs. Warning of 2 items - and I need them for a package so unticked them and no cleanup done.
Still not clear for me is how to relate this to the 339 files that avast flagged out in its quick scan.
Await further advice from you and thanks for your help.

Yes, detected item was an loaded KMService actually … I saw that in the main logs before. It’s not our primary concern now.
Where is FixLog.txt preformed by FRST. The copy of the log you shall find in C:\FRST\Logs\Fixlog_.txt

The logs doesn’t show any sign of any malware/rootkit. Like I said the FRST doesn’t show the malware. GMER did show the few anomaly but the two additional ARK tool came as clean.

Does avast! still detects the drivers (file_name.sys)? Are the name of malware files the same or random?

Let’s see what avast! can tell us. It is time to you preform the boot-time scan with avast!.
Info: http://www.winhelp.us/avast-free-antivirus-boot-time-scan.html

With numbers on your keyboard you can tell avast! what to do with detected items.

avast! will create the logreport and you will find it here:
C:\ProgramData\AVAST Software\Avast\report[b]aswBoot.txt[/b]

Post that log here. Make shure you save that notepad file as Encoding: ANSI, se the image below:

Hi magna86,
Attached Boot-time Scan log.
Nothing found. The smaller no. of files/GB scanned (from 3days ago) is due to my deletion of Windows.old folder.
Did a Full Scan with settings attached, and it came up with the same 339 files as reported in the first instance. Unable to move items to chest.

From previous scan experience, if the rootkill is configured as quickscan (instead of fullscan) then nothing will be reported.

Look like we went full circle, but I am not sure whether these 339 files are false alarm or real nasty malware.

Appreciate your help and time. What do you think? Or should we do more diagnostics tests?

Thanks.

Hello InTrouble,

Just now I’ve been notice that these driver files is in C:\preboot location. My bad …this isn’t malware. This is FP.
They are reporting by avast! as RootKit as they are invisible to the Windows API! This should be the FP as they should be Factory Recovery related. I would suggest you to contact the avast! support using this form:

http://www.avast.com/contacts

Click on ‘Report a Virus’ form below. As Subject select ‘report false virus in file’.

• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Hi magna86,
Done tools cleanup and reported fp to avast!.
Once again thanks for your time and effort - appreciate it.
I am in Australia Gold Coast, where are you located? Will buy you a beer next time if I happened to be there

By the way, the main reason why this malware cropped up is my pc was feeling cranky after 2 weeks of fresh install with the chrome browser slowing down with status ‘resolving host’ and redirection by pesty traffic.outbrain.com and some others. At times the browser will abort the target url and need a few reload attempts to be successful. It is still happening but to a lesser extent apparently (not sure why as nothing actually nothing except those tools which effectively detected nothing). Any idea how to solve this?

Thanks for the offer, I like beer, but you’re too far away from my country. I am located on Europe > Balkan > Serbia.

By the way, the main reason why this malware cropped up is my pc was feeling cranky after 2 weeks of fresh install with the chrome browser slowing down with status 'resolving host' and redirection by pesty traffic.outbrain.com and some others. At times the browser will abort the target url and need a few reload attempts to be successful. It is still happening but to a lesser extent apparently (not sure why as nothing actually nothing except those tools which effectively detected nothing). Any idea how to solve this?

You may try to reset your system hosts file back to there defaults using FixIt from M$.
http://support.microsoft.com/kb/972034

Also you may wanna try to reset your browser settings back to defaults:
http://support.microsoft.com/kb/923737
https://support.google.com/chrome/answer/3296214?hl=en
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.com%2F

If the problem persists then it’s not up to you. Then the issue is occur on visited website or to your internet connection or IS’s provider.

Hi magna86 - your are bloody good in your work, mate. You solved my ‘resolving host’ problem. Took a look at the host file and realised that in the midst of making earlier modification, I omitted an input command specific to Vista version. My browser is rendering sweetly now. How about another beer!!!??

The more the better, I’m all for it. ;D