system
March 25, 2011, 10:02am
1
Hi,
I have a rootkit which avast! wont delete. Its not being detected in boot time scan. Error comes up when i try to delete. I read some other similar posts about this and downloaded combofix but whenever i try to run it the computer shuts down. Need advise on what to do please. The virus is preventing internet explorer from working too.
Thanks
Pondus
March 25, 2011, 10:28am
2
Download and run aswMBR.exe http://public.avast.com/~gmerek/aswMBR.htm
Double click the aswMBR.exe to run it
Click the “Scan” button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
system
March 25, 2011, 10:44am
3
This is what came up. Thanks.
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-25 11:42:30
11:42:30.662 OS Version: Windows 6.0.6000
11:42:30.662 Number of processors: 2 586 0xE0C
11:42:30.662 ComputerName: SABRIA-PC UserName: Sabria
11:42:34.515 Initialize success
11:42:37.073 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\iaStor0
11:42:37.073 Disk 0 Vendor: Hitachi_ SB4O Size: 152627MB BusType: 3
11:42:37.073 Device \Device\Ide\IAAStorageDevice-0 → ??\IDE#DiskHitachi_HTS541616J9SA00_________________SB4OC7KP#4&1e09ccbe&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
11:42:37.089 Disk 0 MBR read successfully
11:42:37.089 Disk 0 MBR scan
11:42:37.105 Disk 0 TDL4@MBR code has been found
11:42:37.105 Disk 0 MBR hidden
11:42:37.105 Disk 0 MBR [TDL4] ROOTKIT
11:42:37.120 Disk 0 trace - called modules:
11:42:37.120 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86796439]<<
11:42:37.120 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85a26ad8]
11:42:37.136 3 ntkrnlpa.exe[824b07e2] → nt!IofCallDriver → [0x84fff6d8]
11:42:37.136 \Driver\iaStor[0x862f1b50] → IRP_MJ_CREATE → 0x86796439
11:42:37.151 Scan finished successfully
Pondus
March 25, 2011, 10:47am
4
11:42:37.105 Disk 0 TDL4@MBR code has been found
11:42:37.105 Disk 0 MBR [TDL4] **ROOTKIT**
Scan again, when done click "FIX" post new log
system
March 25, 2011, 10:54am
5
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-25 11:52:47
11:52:47.117 OS Version: Windows 6.0.6000
11:52:47.117 Number of processors: 2 586 0xE0C
11:52:47.117 ComputerName: SABRIA-PC UserName: Sabria
11:52:48.536 Initialize success
11:52:50.611 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\iaStor0
11:52:50.627 Disk 0 Vendor: Hitachi_ SB4O Size: 152627MB BusType: 3
11:52:50.627 Device \Device\Ide\IAAStorageDevice-0 → ??\IDE#DiskHitachi_HTS541616J9SA00_________________SB4OC7KP#4&1e09ccbe&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
11:52:50.642 Disk 0 MBR read successfully
11:52:50.642 Disk 0 MBR scan
11:52:50.642 Disk 0 TDL4@MBR code has been found
11:52:50.658 Disk 0 MBR hidden
11:52:50.658 Disk 0 MBR [TDL4] ROOTKIT
11:52:50.674 Disk 0 trace - called modules:
11:52:50.674 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86796439]<<
11:52:50.689 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85a26ad8]
11:52:50.689 3 ntkrnlpa.exe[824b07e2] → nt!IofCallDriver → [0x84fff6d8]
11:52:50.705 \Driver\iaStor[0x862f1b50] → IRP_MJ_CREATE → 0x86796439
11:52:50.705 Scan finished successfully
11:52:52.780 Disk 0 fixing MBR
11:53:02.810 Disk 0 MBR restored successfully
11:53:02.810 Infection fixed successfully - please reboot ASAP
should i reboot?
Pondus
March 25, 2011, 11:10am
6
did you click “FIX MBR” or “FIX” ?
11:53:02.810 Infection fixed successfully - please reboot ASAP
yes reboot
scan again and post new log
system
March 25, 2011, 11:14am
7
I clicked on fix. It’s rebooting now.
system
March 25, 2011, 11:23am
8
Can only open in safe mode. Windows keeps shutting down. I ran scan, fix isn’t a option only fixmbr. Should I click it?
Pondus
March 25, 2011, 11:24am
9
no just scan and save log and post it
system
March 25, 2011, 11:32am
10
While you might not like this answer, I feel it needs to be posted anyway: Infection by rootkit → game over. Go and reinstall from scratch.
Help: I Got Hacked. Now What Do I Do?
The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don’t want to see you doing that.
The guys here do a great job when helping with infections, but in case of rookits, this simply is not enough.
Pondus
March 25, 2011, 11:35am
11
but in case of rookits, this simply is not enough.
I am not sure Essexboy agree......
The plan is to end this with an OTS log and have him look at it anyway
system
March 25, 2011, 11:38am
12
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-25 12:20:13
12:20:13.194 OS Version: Windows 6.0.6000
12:20:13.194 Number of processors: 2 586 0xE0C
12:20:13.194 ComputerName: SABRIA-PC UserName: Sabria
12:20:14.005 Initialize success
12:20:16.298 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
12:20:16.298 Disk 0 Vendor: Hitachi_ SB4O Size: 152627MB BusType: 3
12:20:16.314 Disk 0 MBR read successfully
12:20:16.329 Disk 0 MBR scan
12:20:16.329 Disk 0 scanning sectors +312578048
12:20:16.361 Disk 0 scanning C:\Windows\system32\drivers
12:20:21.275 Service scanning
12:20:23.537 Disk 0 trace - called modules:
12:20:23.583 ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll iaStor.sys
12:20:23.583 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8598e030]
12:20:23.599 3 ntkrnlpa.exe[824b07e2] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0x84fd5030]
12:20:23.599 Scan finished successfully
Pondus
March 25, 2011, 11:41am
13
well that looks clean
Download malwarebytes and run quick scan
Malwarebytes Anti-Malware 1.50.1 http://filehippo.com/download_malwarebytes_anti_malware/
Always Update so you have latest database before you scan
Click the remove selected button to quarantine anything found
Post the scan log
system
March 25, 2011, 11:51am
14
MBAM is not particularly good when it comes to rootkits. If anything, I’d suggest Hitman Pro (activate the 30 days trial license if it finds the rootkit). Also, this article covers multiple antirootkit tools: http://www.techrepublic.com/blog/networking/rootkits-is-removing-them-even-possible/736
Anyway, as I already said, I do not believe in disinfecting systems compromised by rootkit.
system
March 25, 2011, 11:55am
15
Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6165
Windows 6.0.6000 (Safe Mode)
Internet Explorer 7.0.6000.17037
25/03/2011 12:52:17
mbam-log-2011-03-25 (12-52-04).txt
Scan type: Quick scan
Objects scanned: 153511
Time elapsed: 5 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 65
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\CLSID{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\TypeLib{F244A744-534D-4A46-855F-C0C7E9F27DAA} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\Interface{030C9927-10FC-4169-97A2-55BECD5D88D8} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.RprtCtrl.1 (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.RprtCtrl (Adware.ShoppingReport2) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\CLSID{3E2DFD6A-4E20-4D4C-AA8B-E1F9DBEF3C80} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButton.1 (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButton (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\CLSID{714E0876-FCEE-49CE-A429-B9AD8AEFCB56} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButtonA.1 (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButtonA (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\CLSID{A4730EBE-43A6-443e-9776-36915D323AD3} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\CLSID{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbInfoBand.1 (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbInfoBand (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\CLSID{DD15BCC0-5FE9-4690-A957-99FA60ED9D26} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbAx.1 (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbAx (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\Typelib{B035BA6B-57CD-4F72-B545-65BE465FCAF6} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\Typelib{D44FD6F0-9746-484E-B5C4-C66688393872} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\Interface{0EB3F101-224A-4B2B-9E5B-DF720857529C} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\Typelib{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\Interface{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles (Adware.ClickPotato) → No action taken.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles.1 (Adware.ClickPotato) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\Software\ShoppingReport2 (Adware.ShoppingReport2) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ResultBar (Adware.ResultBar) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport2 (Adware.ShoppingReport2) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
system
March 25, 2011, 11:56am
16
Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ResultBar (Adware.ResultBar) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShoppingReport2 (Adware.Hotbar) → No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) → Value: {46897C77-E7A6-4C33-BFFB-E9C2E2718942} → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) → Value: {46897C77-E7A6-4C33-BFFB-E9C2E2718942} → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qnexayoqane (Trojan.Agent.U) → Value: Qnexayoqane → No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
c:\programdata\resultbar (Adware.ResultBar) → No action taken.
c:\program files\funwebproducts (Adware.MyWebSearch) → No action taken.
c:\program files\funwebproducts\screensaver (Adware.MyWebSearch) → No action taken.
c:\program files\funwebproducts\screensaver\Images (Adware.MyWebSearch) → No action taken.
c:\program files\mywebsearch (Adware.MyWebSearch) → No action taken.
c:\program files\mywebsearch\bar (Adware.MyWebSearch) → No action taken.
c:\program files\mywebsearch\bar\History (Adware.MyWebSearch) → No action taken.
c:\program files\mywebsearch\bar\Settings (Adware.MyWebSearch) → No action taken.
c:\program files\resultbar (Adware.ResultBar) → No action taken.
c:\program files\shoppingreport2 (Adware.ShoppingReport2) → No action taken.
c:\program files\shoppingreport2\Bin (Adware.ShoppingReport2) → No action taken.
c:\program files\shoppingreport2\Bin\2.7.21 (Adware.ShoppingReport2) → No action taken.
Files Infected:
c:\Users\Sabria\AppData\Local\Temp\srweanxmoc.exe (Adware.Agent) → No action taken.
c:\program files\mywebsearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) → No action taken.
system
March 25, 2011, 12:17pm
17
i have quarantined all the selected files and rebooted, but i still can only open in safe mode as windows keeps shutting down when opened normally. I get some blue screen with something written and then it shuts down… its too quick for me to read.
Pondus
March 25, 2011, 12:29pm
18
OK… i am not sure if you can do this in safe mode, but you may try running OTS and posting the log
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log )
i will notifie Essexboy now so he will look at this when he arrives her in…7-8 hours
may take longer if there is cricket on tv ;D
system
March 25, 2011, 12:50pm
19
Hi,
i have scanned OTS and attached. When will i be able to use computer normally?
thanks
Pondus
March 25, 2011, 12:52pm
20
you have to wait for essexboy`s advice