MBR:SST Rootkit found, cant get rid of.

Hi guys. This problem has been bugging me for days. First of all i was getting alerts for a few trojans,etc which deleted all my start menu and desktop shortcuts. I got rid of those ( I think) with a malwarebytes scan ( log attached0. Now avast is still popping up with an alert for the mbr rootkit.

Also I cant get aswMBR or tdskiller to run.

i also ran roguekiller, should i post those logs?

Any help would be appreciated.

A malware removal specialist has been informed of your topic.

Attach roguekiller logs, and can you attach the adwcleaner logs.

thanks

Anthony :slight_smile:

adwcleaner

Roguekiller…

Hi could you confirm that you now have all your menus and files back…

You have an MBR infection

3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 976771120 | Size: 0 Mo

Do you have a USB drive that you could use ?

Back in a bit whilst I check out the OTL log

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutC0CyCyDzy0DtB0BzyyEzz0AzzyC0DyEtN0D0Tzu0CtBtBtAtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1154100707
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutC0CyCyDzy0DtB0BzyyEzz0AzzyC0DyEtN0D0Tzu0CtBtBtAtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1154100707
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutC0CyCyDzy0DtB0BzyyEzz0AzzyC0DyEtN0D0Tzu0CtBtBtAtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1154100707
IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
IE - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutC0CyCyDzy0DtB0BzyyEzz0AzzyC0DyEtN0D0Tzu0CtBtBtAtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1154100707
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
O2:64bit: - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension64.dll ()
O2:64bit: - BHO: (no name) - {9D717F81-9148-4f12-8568-69135F087DB0} - No CLSID value found.
O2 - BHO: (Shopping Assistant Plugin) - {1631550F-191D-4826-B069-D9439253D926} - C:\Program Files (x86)\PriceGong\2.6.4\PriceGongIE.dll (PriceGong)
O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension32.dll ()
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - No CLSID value found.
O2 - BHO: (no name) - {9D717F81-9148-4f12-8568-69135F087DB0} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - !{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
[2012/09/10 22:02:58 | 000,000,368 | ---- | M] () -- C:\ProgramData\sjMYwJNzwAhgal
[2012/09/09 19:35:29 | 000,000,160 | ---- | M] () -- C:\ProgramData\-aQ2W8LlPs6OUp8r
[2012/09/09 19:35:29 | 000,000,144 | ---- | M] () -- C:\ProgramData\-aQ2W8LlPs6OUp8
[2012/09/09 19:35:27 | 000,000,368 | ---- | M] () -- C:\ProgramData\aQ2W8LlPs6OUp8

:Files
C:\Program Files\Web Assistant

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download Tuxbot to your desktop
Run Tuxboot
On the first screen in the dropdown box select Gparted Live - stable

https://dl.dropbox.com/u/73555776/Tuxboot.GIF

Select USB Drive from the Type drop-down.
Select the correct USB device from the Drive drop-down.
Click OK. This will start the process of creating the bootable USB device.

Now boot off of the newly created Gparted USB.

You should be here… Press ENTER

https://dl.dropbox.com/u/73555776/Gpart-Start.GIF

By default, “do not touch keymap” is highlighted.

https://dl.dropbox.com/u/73555776/Gpart-keyselect.GIF

Leave this setting alone and just press ENTER.

https://dl.dropbox.com/u/73555776/Gpart-continue.GIF

Choose your language and press ENTER. English is default [33]

At the mode prompt enter 0, press ENTER

You will now be taken to the main GUI screen below

https://dl.dropbox.com/u/73555776/Gpart-partitions.GIF

According to your logs, the partition that you want to delete is <1 MB

Right click this partition and select delete .

https://dl.dropbox.com/u/73555776/GPart-delete.GIF

The Partition has gone

Now select Apply

Now you should be here:

https://dl.dropbox.com/u/73555776/Areyousure.GIF

Select Apply after double checking that the right partition was deleted

Is “boot” next to your OS drive? 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
If “boot” is not next to your OS drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags

https://dl.dropbox.com/u/73555776/GPart-flags.GIF

In the menu that pops up, place a checkmark in boot like the picture below, then close :

https://dl.dropbox.com/u/73555776/GPart-bootflag.GIF

Under File select Quit

https://dl.dropbox.com/u/73555776/Gpart-quit.GIF

You will see this small Popup

https://dl.dropbox.com/u/73555776/Gpart-reboot.GIF

Choose reboot and then press OK.

Once back in normal windows then run TDSSKiller please

all the start menu program folders are empty…

will get to work on those steps now

OK there is a fix for the start menu folders … I will point you there on completion

Make sure you double check the partition deletion bit

Ok. One more thing b4 i start. I’m using the administrator acct, but the infection occurred while using a “standard user” acct. Should I check “all users” in otl? or just continue with the steps how you explained?

Skip the OTL step for now and go direct to Gparted as that is where the main infection lies

Done. Gparted and tdskiller steps ran. TDS found no infected results afterwards.

Sweet, could you run one further OTL quick scan please selecting all users, then let me know what problems remain

otl scan…

Did you install Fantapper Player as it has a dubious reputation

no, my 12yo neice also uses this laptop.Is that where this all started?

There is that possibilty, although I could not say for sure. Would you like me to remove it ?

Yes that would be fine

OK I will clear that along with some of my tools. Are there any outstanding problems ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
SRV - [2012/04/23 16:53:44 | 000,014,336 | ---- | M] (Brand Affinity Technologies) [Auto | Running] -- C:\Program Files (x86)\Brand Affinity Technologies\Fantapper Updater\FantapperUpdater.exe -- (FTSvc)
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=axl&chnl=axl&cd=2XzuyEtN2Y1L1QzutC0CyCyDzy0DtB0BzyyEzz0AzzyC0DyEtN0D0Tzu0CtBtBtAtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1154100707
IE - HKLM\..\SearchScopes\{514DD3EF-B6A1-CB3B-70E7-121482766ABE}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=139&systemid=406&sr=0&q={searchTerms}
[2012/09/09 11:26:47 | 000,000,000 | ---D | M] (InfoAtoms) -- C:\Program Files (x86)\Mozilla Firefox\extensions\infoatoms@infoatoms.com
64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\infoatoms@infoatoms.com: C:\Program Files (x86)\Mozilla FireFox\extensions\infoatoms@infoatoms.com [2012/09/09 11:26:47 | 000,000,000 | ---D | M]
O2 - BHO: (InfoAtoms Client) - {103089DA-0F31-4A8B-843F-7D24A7FE8345} - C:\Program Files (x86)\InfoAtoms\IE32\bho32.dll (InfoAtoms Inc.)
O2 - BHO: (Fantapper) - {8A86D350-37AB-410A-8531-7D1363F317B3} - C:\Program Files (x86)\Brand Affinity Technologies\Fantapper Player\\IEInstaller.dll ()
O3:64bit: - HKLM\..\Toolbar: (no name) - !{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
[2012/09/13 15:35:52 | 002,211,928 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Admin\Desktop\tdsskiller.exe
[2012/09/13 11:43:14 | 000,000,000 | ---D | C] -- C:\Users\Admin\Desktop\logs
[2012/09/12 21:20:26 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Admin\Desktop\iexplore.exe.exe
[2012/09/12 20:29:45 | 000,000,000 | ---D | C] -- C:\Users\Admin\Desktop\RK_Quarantine
[2012/08/15 18:59:58 | 000,426,184 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012/09/13 11:25:09 | 000,512,399 | ---- | M] () -- C:\Users\Admin\Desktop\adwcleaner.exe
[2012/09/12 20:27:08 | 001,378,816 | ---- | M] () -- C:\Users\Admin\Desktop\RogueKiller.exe
[2012/09/10 22:02:58 | 000,000,368 | ---- | M] () -- C:\ProgramData\sjMYwJNzwAhgal
[2012/09/09 19:35:29 | 000,000,160 | ---- | M] () -- C:\ProgramData\-aQ2W8LlPs6OUp8r
[2012/09/09 19:35:29 | 000,000,144 | ---- | M] () -- C:\ProgramData\-aQ2W8LlPs6OUp8
[2012/09/09 19:35:27 | 000,000,368 | ---- | M] () -- C:\ProgramData\aQ2W8LlPs6OUp8
[2012/08/15 20:00:16 | 000,873,052 | ---- | M] () -- 

:Files
C:\Program Files (x86)\InfoAtoms
C:\Program Files (x86)\Brand Affinity Technologies
C:\PROGRAM FILES\WEB ASSISTANT
C:\Users\Admin\Desktop\search_spoilnet.com_in_google_System.Surveillance.Pro.2012.v6.8.cracked.rar

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Done!! Thanks alot.

Btw, i dont know if its avast,iTunes, or some other programs causing this, but it takes about 30 sec at logon screen after i input my pw.