Avast wont delete rootkit threat! Help

Viruses and worms
1

:o
I ran Malwarebytes and Avast simultaneously after my computer crashed over a month ago. It detected one file, here are the results.
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 541230
Time elapsed: 5 hour(s), 2 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Dee Sanae\Downloads\applianflv.exe (PUP.BundleOffers.IIQ) → No action taken.

(end)
I am also attaching a screenshot of what avast results look like.
I am going to run OTL , please let me know what I should do.

2

Hi and welcome!

Please visit the site located here. Follow the directions
for running OTL, aswMBR.exe and Malwarebytes and then attach the logs that are created to your next reply. :slight_smile:

3

Rogue Killer Report

4

5

Here is the OTL report attachment

6

Please see attached

7

Attach logs…not copy and paste

8

Hi,

Please download ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{CB15E8A2-A13A-450C-9558-D726989EB5CD}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKLM\..\URLSearchHook: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}: "URL" = http://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50-ie-aim-chromesbox-en-us
IE - HKLM\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
IE - HKLM\..\SearchScopes\{CB15E8A2-A13A-450C-9558-D726989EB5CD}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\.DEFAULT\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
IE - HKU\S-1-5-18\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
IE - HKU\S-1-5-19\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
IE - HKU\S-1-5-20\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
IE - HKU\S-1-5-21-2350657028-1757341790-3312474077-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1060933
IE - HKU\S-1-5-21-2350657028-1757341790-3312474077-1000\..\URLSearchHook: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-2350657028-1757341790-3312474077-1000\..\URLSearchHook: {32b29df0-2237-4370-9a29-37cebb730e9b} - No CLSID value found
IE - HKU\S-1-5-21-2350657028-1757341790-3312474077-1000\..\SearchScopes,DefaultScope = {1BB2D5A5-CB28-6828-A0B4-440879C5BE32}
IE - HKU\S-1-5-21-2350657028-1757341790-3312474077-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-2350657028-1757341790-3312474077-1000\..\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}: "URL" = http://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50-ie-aim-chromesbox-en-us
IE - HKU\S-1-5-21-2350657028-1757341790-3312474077-1000\..\SearchScopes\{1382715F-10E4-4295-BA71-19079144F755}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1060933
IE - HKU\S-1-5-21-2350657028-1757341790-3312474077-1000\..\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}: "URL" = playbryte/search/redirect/?type=default&user_id=05d9d3dc-f123-47e1-aff1-765b0ede9197&query={searchTerms}
IE - HKU\S-1-5-21-2350657028-1757341790-3312474077-1000\..\SearchScopes\{A86CB93C-AF88-B5FE-F4D9-E79E5C6A4474}: "URL" = http://www.startnow.com/s/?q={searchTerms}&src=defsearch&provider=Bing&provider_code=Z058&partner_id=300&product_id=409&affiliate_id=&channel=VLCTLNSINGLE04_NCEX_PLUSY&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110502&user_guid=9558F3F9B4934897B6DAC54C77992D7A&machine_id=020e23793d7c2e6d94c28e2c1904fba8&browser=IE&os=win&os_version=6.0-x64-SP1
IE - HKU\S-1-5-21-2350657028-1757341790-3312474077-1000\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?q={SEARCHTERMS}&o=15527&l=dis&prt=NSS&chn=retail&geo=US&ver=4
IE - HKU\S-1-5-21-2350657028-1757341790-3312474077-1000\..\SearchScopes\{CB15E8A2-A13A-450C-9558-D726989EB5CD}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
[2012/07/23 16:25:47 | 000,000,000 | ---D | M] (Freecorder Community Toolbar) -- C:\Users\Dee Sanae\AppData\Roaming\Mozilla\Firefox\Profiles\yqidhneu.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
[2012/03/01 22:02:20 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
O2:[b]64bit:[/b] - BHO: (Complitly) - {0FB6A909-6086-458F-BD92-1F8EE10042A0} - C:\Users\Dee Sanae\AppData\Roaming\Complitly\64\Complitly64.dll (SimplyGen)
O2 - BHO: (Complitly) - {0FB6A909-6086-458F-BD92-1F8EE10042A0} - C:\Users\Dee Sanae\AppData\Roaming\Complitly\Complitly.dll (SimplyGen)
O2 - BHO: (Freecorder Toolbar) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll (Conduit Ltd.)
O2 - BHO: (no name) - {78875F5C-A685-4405-8DC5-D48DC65452B0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Freecorder Toolbar) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-2350657028-1757341790-3312474077-1000\..\Toolbar\WebBrowser: (Freecorder Toolbar) - {1392B8D2-5C05-419F-A8F6-B9F15A596612} - C:\Program Files (x86)\Freecorder\prxtbFree.dll (Conduit Ltd.)
O33 - MountPoints2\{50709676-3c7a-11df-8304-001d727005a1}\Shell\AutoRun\command - "" = F:\TrueCrypt\TrueCrypt.exe
O33 - MountPoints2\{50709676-3c7a-11df-8304-001d727005a1}\Shell\dismount\command - "" = F:\TrueCrypt\TrueCrypt.exe /q /d
O33 - MountPoints2\{50709676-3c7a-11df-8304-001d727005a1}\Shell\start\command - "" = F:\TrueCrypt\TrueCrypt.exe
O33 - MountPoints2\{65619b96-d63c-11dd-822c-001d727005a1}\Shell\AutoRun\command - "" = F:\start.exe
O33 - MountPoints2\{e12f1063-14c2-11df-9600-001d727005a1}\Shell - "" = AutoRun
O33 - MountPoints2\{e12f1063-14c2-11df-9600-001d727005a1}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
[11 C:\Users\Dee Sanae\Documents\*.tmp files -> C:\Users\Dee Sanae\Documents\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

9

Here’s the file.

10

Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

Please run a free online scan with the ESET Online Scanner
[i]Note: You will need to use Internet Explorer for this scan[/i]
[*]Tick the box next to YES, I accept the Terms of Use
[*]Click Start
[*]When asked, allow the ActiveX control to install
[*]Click Start
[*]Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
[*]Click Scan (This scan can take several hours, so please be patient)
[*]Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner[b]log.txt
[*]Copy and paste that log as a reply to this topic

11

As a veteran of a fight with rootkit I can only suggest reformatting your hard drive NOW. I battled it for almost a week using my old antivirus program and malwarebytes. I finally threw up my hands, gave up and reformatted the hard drive after more and more viruses kept reappearing.

Two problems with rootkit. First; It buries a copy of itself deep in your system under a false file name. That makes it difficult, if not impossible to find, at least it was for me last year when this happened. After a certain amount of time that file activates and you have rootkit again.

Two; One of the things it does is open up a channel for other viruses, malware and such to enter. I found probably close to a hundred viruses on my computer over a period of five days, each time after I’d thought I might have finally cleared rootkit. Some of the ones I found were keystroke loggers and other programs to send personal information on my computer to some bad guy.

So, back up all your files. Rootkit allowed me to get all my registration numbers, save my bookmarks and such, then reformat. Most important: CANCEL ANY CREDIT CARDS YOU HAVE INFO ON IN YOUR COMPUTER! Also change all passwords to e-mail and financial sites asap.

I had one credit card’s info on my computer. I hesitated cancelling it in hopes they didn’t get the info. About 3 weeks after I reformatted they tried to use that card. Luckily the bank caught it, notified me and cancelled my card. I should have cancelled that card once I realized compromising viruses were on my computer.

They apparently tried to gain access to financial sites I deal with regularly, too. They didn’t seem to get in but those sites shut me out unless I went through additional security screening. Weird, when that stuff happens to you and not someone else.

12

ESETSmartInstaller@High as downloader log:
all ok

version=7

OnlineScannerApp.exe=1.0.0.1

OnlineScanner.ocx=1.0.0.6583

api_version=3.0.2

EOSSerial=4675a5af0178b744b4d297ccc98109b4

end=finished

remove_checked=false

archives_checked=false

unwanted_checked=true

unsafe_checked=false

antistealth_checked=false

utc_time=2012-08-11 10:37:19

local_time=2012-08-11 06:37:19 (-0500, Eastern Daylight Time)

country=“United States”

lang=1033

osver=6.0.6002 NT Service Pack 2

compatibility_mode=770 16774141 100 2 55960705 55960705 0 0

compatibility_mode=5892 16776573 100 56 0 181244944 0 0

compatibility_mode=8192 67108863 100 0 0 0 0 0

scanned=341132

found=3

cleaned=0

scan_time=35201

C:\Program Files (x86)\VlcPlus\Extras\setup.exe a variant of Win32/Toolbar.Zugo application FFB196F7333422377F970A0BDE2B5623 I
C:\Users\Dee Sanae\Downloads\cnet_service-invoice-for-hourly-billing_zip.exe a variant of Win32/InstallCore.D application 70170F35984C8E3C18BB534017030675 I
C:\Users\Dee Sanae\Downloads\FCTBSetup.exe Win32/Toolbar.Zugo application 557413008733EAEBECAB0696CA8E4F4B I

13

Thanks for the ESET log. Did you get a chance to run Malwarebytes again yet? Please attach that log when complete. :slight_smile: