Hi, I need help with this rootkit, please.
Avast scan at startup did not detect it. Only AswMBR found it.
I’ve also made a rootkit scan with spybot2 (which i installed just for a scan and then uninstalled it) and didn’t find zeroot-b, but it did alert me of a MBR-physicaldrive0.
Here are the logs of Hijackthis, Adwcleaner, Mbam and aswMBR.
Hey here are the logs of spybot and superantispyware, don't know if they can be of any use.
SpyBoot...... absolutely nada
[b]Cons[/b]
Extremely poor detection of malware. Extremely poor removal of detected malware. Even worse removal of rootkits in particular. Many user interface elements significantly awkward.
[b]Bottom Line[/b]
Spybot was one of the first antispyware tools ever. It's been dormant for a while. Now Spybot - Search & Destroy 2.0 promises to destroy "spyware, malware, adware and other malicious software.[b]" In testing, it proved almost 100 percent ineffective[/b].
:OTL
O2 - BHO: (no name) - {1C67BFBC-BB54-4EE2-A3E8-0AA6EFEE5715}A3E8-0AA6EFEE5715} - No CLSID value found.
O3 - HKU\S-1-5-21-1733644386-987702636-2351089283-1006\..\Toolbar\ShellBrowser: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - No CLSID value found.
O3 - HKU\S-1-5-21-1733644386-987702636-2351089283-1006\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-1733644386-987702636-2351089283-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1733644386-987702636-2351089283-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-1733644386-987702636-2351089283-1006\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Pondus: I uninstalled spybot right after the scans, but i noticed that the quick-scan for rootkits alerted me of MBRphysicaldrive0 and another K something which looks like a windows update. Since I didn’t see signs of these in the other logs i decide to upload these too
Essexboy, I’ll try with yr code in OTL and past the log ASAP. Regarding Combofix, it runs smoothly through the various level but doesn’t reboot system at the end, it says deleting TEMP folder but after that doesn’t do anything. It does not hang though. And, most importantly, it creates a logfile which just redirects to My Computer, even if I rename it in *.txt! Any ideas why? This happened even when i changed combofix name and run it again.
Thank you Essexboy
Here are the Otl logs (the one after the fix and the one after a fresh quick scan).
The pc still boots slowly and the windows sound is distorted. Everything slows down and the CPU usage is often at 100%, but I’m still able to write from here.
[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Thankx essexboy, I have dled the tool and run it as in your instructions. The system file check didn’t ask me for the windows xp cd though. I also did the start repairs and restarted, but it doesn’t look much better and the windows sounds is still distorted.
Next step?
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
c:\Documents and Settings\All Users\Datos de programa\TEMP
and just stays there forever without doing nothing, it’s not frozen, but it does not do any action nor boot the pc and does not create a log, just a shortcut in c:\ named Combofix, which points to My PC.
Combofix behaves exactly the same in safe mode, does not freeze but does not end and reboot either, and the log it produces in c:\combofix is actually just a shortcut to MyPC.
The machine still takes a while to boot up, and most of the times the sound is distorted, not always though.
Normal use of pc is difficult because the CPU rapidly rises to 100%.
If it’s a false positive, what is causing these issues?
Ok after all of this cleaning I rebooted and re-enabled windows firewall and avast antivirus. Looking at task manager I’ve noticed that wuauclt.exe is always using up a lot of memory (100.000KB or more) and CPU as well. One of the svchost.exe is up there too, followed by explorer.exe. And then I’ve also noticed that Avast is trying to update but it takes ages to DL the definitions and even more to check for a new version of the program (it’s not a connection problem because on the other pc in the same LAN everything works fine).
When I kill wuauclt.exe and after waiting many minutes for Avast to complete its update check, then the CPU goes back to 0%, but as I try to open some programs (typically firefox) it goes back to 100% and it takes 2 or 3 minutes to use the browser. When everything’s calm it goes back to 0% but even touching the touchpad sends the CPU to at least 20%.