Hi All:

According to Avast, my work laptop is infected by a “rootkit” named:

1264341053:3266290612.exe

c:windows/1264341053:3266290612.exe

I take the prescribed action (Delete) and schedule a boot scan (as suggested) and the little bugger is right back. Nasty stuff.

Any ideas?

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and start your own new topic and attach the logs there, not in the LOGS topic.

It is almost 1:20am in the UK and it is likely to be tomorrow morning when a malware removal specialist can take a look at it. So if you can get on with the process and that will give them something when they do get on-line.

Thanks, but here’s a problem: This bug apparently won’t let me run Malwarebyte’s AntiMalware. The Quick Scan runs for a few seconds and then the program closes. If I try again, a warning comes up that says something like “Program can’t be found.” If I re-install MBAM, it runs again just like before. Same thing with HiJack This.

Same thing with HiJack This.

Hi that is the zero access bootkit. I will first need to remove the ads from the bad boy and then run to kill

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Thanks! I’m doing the scan now. A Microsoft Error Reporting box came up during the scan. It looks a little different than a “normal” MS error report. Normal?

I guess just attach both files? Feel kind of creepy doing this…

Extras

OK here we go

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = F3 86 F3 16 DA E5 B2 4F B9 1B 4D 35 BC 14 40 03 [binary data] IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = F3 86 F3 16 DA E5 B2 4F B9 1B 4D 35 BC 14 40 03 [binary data] IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = F3 86 F3 16 DA E5 B2 4F B9 1B 4D 35 BC 14 40 03 [binary data] IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = F3 86 F3 16 DA E5 B2 4F B9 1B 4D 35 BC 14 40 03 [binary data] IE - HKU\S-1-5-21-1235142616-1400411301-3882759376-1006\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = F3 86 F3 16 DA E5 B2 4F B9 1B 4D 35 BC 14 40 03 [binary data] [2011/09/24 06:14:33 | 000,000,000 | ---- | M] () -- C:\WINDOWS\1264341053 @Alternate Data Stream - 784 bytes -> C:\WINDOWS\1264341053:3266290612.exe

:Reg
[HKU.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-21-1235142616-1400411301-3882759376-1006\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

THEN

When you download the following programme you must save it to your desktop renamed as svchost

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.

As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RC1.png

[*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

[*]Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

In my eagerness to fix this (leave tomorrow for a week business trip), I followed the advice of a “friend” who had me run TDSSKiller.exe. It apparently found the bug (I have sound again) and no longer have the problem I mentioned in the first post, but I have neither wired not WiFi internet (limited/no connection).

Sorry.

Should I still do what you mention above or do another OTL scan?

The problem with TDSKiller is that it does not see the mwsock infection as well

Run the OTL fix followed by combofix and that may re-instate the connection - if not I will look at manually fixing it

Okay, will do. But, since I don’t have access to the Interwebs on the laptop (but do on this PC), can I just download Combofix onto a thumb drive and place it on the laptops desktop (per instructions). And, what if when I run Combofix and it has to get on the Internet to download the Windows Recovery thing?

We have the technology ;D

Download ComboFix from one of these locations:

Link 1
Link 2

Note: It is important that it is saved directly to your desktop

With malware infections being as they are today, it’s strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft’s website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that’s appropriate for your Operating System. Download the file & save it as it’s originally named.

Note: If you have SP3, use the SP2 package.

Transfer all files you just downloaded, to the desktop of the infected computer.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif

[*]Drag the setup package onto ComboFix.exe and drop it.

[*]Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

http://img.photobucket.com/albums/v706/ried7/whatnext.png

[*]At the next prompt, click ‘Yes’ to run the full ComboFix scan.

[*]When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

Okay, here’s the Quick Scan log from OTL.

Heh. Fantastic! I will do so.

BTW, I was born and raised in Essex. I live in Colorado now, though.

Subtle difference in climate I should imagine ;D

Yes, 330+ days of sunshine was hard to get used to! ;D

Should I run ComboFix now?

Yes please ;D

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found