lots of rootkits

Viruses and worms
1

Avast found lots of rootkits , can someone lend a helping hand?
thank you

  • avast! Scan Report
  • This file is generated automatically
  • Scan name: Full system scan
  • Started on: Tuesday, March 26, 2013 4:52:53 PM
  • VPS: 130326-0, 03/26/2013

C:\Windows\winsxs\msil_system.design_b03f5f7f11d50a3a_6.1.7600.17136_none_89cc395fbf7011c6\System.Design.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\msil_system.design_b03f5f7f11d50a3a_6.1.7600.21337_none_72fe7bb3d9178bbe\System.Design.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\msil_system.directoryservices.protocols_b03f5f7f11d50a3a_6.1.7600.17136_none_839c88c010af215a\System.DirectoryServices.Protocols.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\msil_system.directoryservices.protocols_b03f5f7f11d50a3a_6.1.7600.21337_none_6ccecb142a569b52\System.DirectoryServices.Protocols.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\msil_system.directoryservices_b03f5f7f11d50a3a_6.1.7600.17136_none_2b207d63edc34a0f\System.DirectoryServices.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\msil_system.directoryservices_b03f5f7f11d50a3a_6.1.7600.21337_none_1452bfb8076ac407\System.DirectoryServices.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\msil_system.drawing_b03f5f7f11d50a3a_6.1.7600.17136_none_6415691aad2538f2\System.Drawing.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\msil_system.drawing_b03f5f7f11d50a3a_6.1.7600.21337_none_4d47ab6ec6ccb2ea\System.Drawing.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\msil_system.security_b03f5f7f11d50a3a_6.1.7600.17136_none_708946f68a91d530\System.Security.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\msil_system.security_b03f5f7f11d50a3a_6.1.7600.21337_none_59bb894aa4394f28\System.Security.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\msil_system.windows.forms_b77a5c561934e089_6.1.7600.17136_none_056e1142ffdb27ea\System.Windows.Forms.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\msil_system.windows.forms_b77a5c561934e089_6.1.7600.21337_none_eea053971982a1e2\System.Windows.Forms.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\msil_system_b77a5c561934e089_6.1.7600.17136_none_af12046a1848d5f2\System.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\msil_system_b77a5c561934e089_6.1.7600.21337_none_984446be31f04fea\System.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\wow64_microsoft-windows-cdosys_31bf3856ad364e35_6.1.7600.21227_none_855bfe6c8c617028\cdosys.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\wow64_microsoft-windows-cdosys_31bf3856ad364e35_6.1.7601.17857_none_869876c170825cdb\cdosys.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\wow64_microsoft-windows-cdosys_31bf3856ad364e35_6.1.7601.22012_none_874829ec89844170\cdosys.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7600.16915_none_bf6c35134a06a00b\ntdll.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7600.21092_none_bf9c27dc63680973\ntdll.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.17725_none_c147c22d473527e8\ntdll.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.21861_none_c1a21e206076d21a\ntdll.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\wow64_microsoft-windows-smbserver_31bf3856ad364e35_6.1.7600.16664_none_5f532a3238ddec6f\sscore.dll [L] Rootkit: hidden file (0)
C:\Windows\winsxs\wow64_microsoft-windows-smbserver_31bf3856ad364e35_6.1.7600.20789_none_5fcc2897520742ce\sscore.dll [L] Rootkit: hidden file (0)
C:\Windows\Temp\IXP000.TMP\vcredis1.cab [E] The system cannot find the path specified (3)
Infected files: 23
Total files: 118412
Total folders: 1
Total size: 16.7 GB

  • Scan stopped: Tuesday, March 26, 2013 5:08:12 PM

  • Run-time was 15 minute(s), 19 second(s)

  • avast! Scan Report

  • This file is generated automatically

  • Scan name: Full system scan

  • Started on: Tuesday, March 26, 2013 5:36:18 PM

  • VPS: 130326-0, 03/26/2013

C:\Windows\winsxs\x86_microsoft-windows-d…nese-eacommonapijpn_31bf3856ad364e35_6.1.7600.16856_none_91eb7ae4315e1c11\IMJPAPI.DLL [L] Rootkit: hidden file (0)
C:\Windows\winsxs\x86_microsoft-windows-d…nese-eacommonapijpn_31bf3856ad364e35_6.1.7600.21016_none_92a02f814a5b7f59\IMJPAPI.DLL [L] Rootkit: hidden file (0)
C:\Windows\winsxs\x86_microsoft-windows-d…nese-eacommonapijpn_31bf3856ad364e35_6.1.7601.17658_none_93d3d87e2e82baab\IMJPAPI.DLL [L] Rootkit: hidden file (0)
C:\Windows\winsxs\x86_microsoft-windows-d…nese-eacommonapijpn_31bf3856ad364e35_6.1.7601.21779_none_9448d5bb47afabae\IMJPAPI.DLL [L] Rootkit: hidden file (0)
C:\Windows\winsxs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9876.0_none_b7e610287b2b4ea5\msxml4.dll [L] Rootkit: hidden file (0)
Infected files: 5
Total files: 189618
Total folders: 1
Total size: 26.5 GB

  • Scan stopped: Tuesday, March 26, 2013 5:59:47 PM

  • Run-time was 23 minute(s), 29 second(s)

  • avast! Scan Report

  • This file is generated automatically

  • Scan name: Full system scan

  • Started on: Tuesday, March 26, 2013 7:03:53 PM

  • VPS: 130326-1, 03/26/2013

C:\Windows\winsxs\x86_netfx-fw_netfxperf_dll_31bf3856ad364e35_6.2.7600.16513_none_5ce27e967b21016b\netfxperf.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2\vcomp.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131\mfc80CHS.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131\mfc80CHT.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131\mfc80DEU.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131\mfc80ENU.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131\mfc80ESP.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131\mfc80FRA.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131\mfc80ITA.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131\mfc80JPN.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131\mfc80KOR.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfc80.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfc80u.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfcm80.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfcm80u.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed\mfc80.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed\mfcm80.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed\mfcm80u.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.4053_none_3b0e32bdc9afe437\vcomp.dll [E] The system cannot find the path specified (3)
C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed\mfc80u.dll [E] The system cannot find the path specified (3)
Infected files: 0
Total files: 248266
Total folders: 1
Total size: 32.2 GB

  • Scan stopped: Tuesday, March 26, 2013 7:34:32 PM
  • Run-time was 30 minute(s), 39 second(s)
2

here is the avast root kit log

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-03-26 19:46:49

19:46:49.039 OS Version: Windows x64 6.1.7600
19:46:49.039 Number of processors: 2 586 0x170A
19:46:49.039 ComputerName: BOB-PC UserName: Bob
19:46:53.439 Initialize success
19:46:54.499 AVAST engine defs: 13032601
19:46:57.307 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
19:46:57.307 Disk 0 Vendor: ST3750528AS CC44 Size: 715404MB BusType: 11
19:46:57.479 Disk 0 MBR read successfully
19:46:57.479 Disk 0 MBR scan
19:46:57.495 Disk 0 Windows 7 default MBR code
19:46:57.510 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 14336 MB offset 2048
19:46:57.526 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 29362176
19:46:57.557 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 700966 MB offset 29566976
19:46:57.588 Disk 0 scanning C:\Windows\system32\drivers
19:47:05.669 Service scanning
19:47:22.950 Modules scanning
19:47:22.950 Disk 0 trace - called modules:
19:47:22.981 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
19:47:23.496 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa800581b060]
19:47:23.496 3 CLASSPNP.SYS[fffff8800193c43f] → nt!IofCallDriver → [0xfffffa80052d3e40]
19:47:23.511 5 ACPI.sys[fffff88000ee3781] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80052d0060]
19:47:28.613 AVAST engine scan C:\Windows
19:47:39.361 AVAST engine scan C:\Windows\system32
19:50:59.083 AVAST engine scan C:\Windows\system32\drivers
19:51:36.165 AVAST engine scan C:\Users\Bob
19:54:37.915 AVAST engine scan C:\ProgramData
19:54:58.850 Scan finished successfully
19:58:52.247 Disk 0 MBR has been saved successfully to “C:\Users\Bob\Desktop\MBR.dat”
19:58:52.279 The log file has been saved successfully to “C:\Users\Bob\Desktop\aswMBR.txt”

3

RogueKiller report

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRKgmailcom
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Bob [Admin rights]
Mode : Scan – Date : 03/26/2013 20:05:05
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] aswMBR.exe – C:\Users\Bob\Desktop\aswMBR.exe [-] → KILLED [TermProc]

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → FOUND
[HJ DESK] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
→ C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3750528AS ATA Device +++++
— User —
[MBR] 3bd0a90989f7be2c0a2fb9bbfa4f1a65
[BSP] e04d08dbd4f11e77a677b15272125d35 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 14336 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 29362176 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 29566976 | Size: 700966 Mo
User = LL1 … OK!
User = LL2 … OK!

Finished : << RKreport[1]_S_03262013_02d2005.txt >>
RKreport[1]_S_03262013_02d2005.txt

4

Follow this guide and attach the logs…not copy and paste
http://forum.avast.com/index.php?topic=53253.0

AdwCleaner / Malwarebytes / OTL / aswMBR

the malware experts are in bed now, but will check your logs tomorrow

5

scans

6

the important logs would be OTL.txt and aswMBR…not attached

anyway, if you reboot and scan again with avast, do you still get the same detection?..as this seem like the scan result you may get if you scan just after a win update

7

Rebooted and did the asw and otl

8

[b]C:\Windows\winsxs[/b] was this during or just after a windows update ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
O4 - HKU\S-1-5-21-1134406558-1199177028-1899358182-1000..\Run: [MusicGadget] Reg Error: Invalid data type. File not found
O4 - HKU\S-1-5-21-1134406558-1199177028-1899358182-1000..\Run: [PhotoGadget] Reg Error: Invalid data type. File not found
O4 - HKU\S-1-5-21-1134406558-1199177028-1899358182-1000..\Run: [PhotoGadgetFirstRun] Reg Error: Invalid data type. File not found
O4 - HKU\S-1-5-21-1134406558-1199177028-1899358182-1000..\Run: [PhotoGadgetFirstRun_Portal] Reg Error: Invalid data type. File not found
O4 - HKU\S-1-5-21-1134406558-1199177028-1899358182-1000..\Run: [TouchMemo] Reg Error: Invalid data type. File not found
[2013/03/27 09:48:38 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Users\Bob\Desktop\aswMBR.exe
[2013/03/26 20:02:53 | 000,000,000 | ---D | C] -- C:\Users\Bob\Desktop\RK_Quarantine
[2013/03/26 19:42:31 | 000,000,000 | ---D | C] -- C:\Users\Bob\Documents\tdsskiller
[2013/03/26 19:58:52 | 000,000,512 | ---- | M] () -- C:\Users\Bob\Desktop\MBR.dat

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

9

Im not sure if the winsxs was before or after…

10

Unfortunately Avast does fall for that when windows is updated, it sees all the activity in the winsxs folder and gets a bit twitchy

Otherwise the log looks clean, are you experiencing any problems ?

11

Not really but got concerned when avast came up with those rootkits… are there any rootkits or was avast giving a false positive?

12

It was a false positive as windows was moving a lot of files around and hiding/unhiding them as it went

13

Ok… thank you for your help, awesome job.

14

Run OTL and press the cleanup button to remove it