Possible Root Kit Infection

I was hoping not to have to come back for more help from the experts but it appears that I now have a rootkit infection in my lap top.
To cut a long story short I attached what I thought was a safe USB stick to the laptop,MCShield2,detected malicious code and opened a hidden folder and deleted malware,Norton 360 picked up JS Proslifiken and quarantined it.However instead of right clicking the folders on the USB and deleting,through inatention I left clicked and opened the folder by mistake,something flashed on the screen and,hey presto,things started going haywire.Malwarebytes Pro (paid version) would not open and some functions within the control panel were disabled.
I have attached the logs below and hope someone can help.Malwarebytes works intermittently,sometimes only able to be accessed via chameleon,and initially OTL would only run in safemode.
Any help would be greatly appreciated,again.

Hi and Welcome!!

My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I’d be grateful if you would note the following:

[] The fixes are specific to your problem and should only be used for the issues on this machine.
[
] It’s often worth reading through these instructions and printing them for ease of reference.
[] If you don’t know or understand something, please don’t hesitate to say or ask!! It’s better to be sure and safe than sorry.
[
] Please reply to this thread. Do not start a new topic.
[] If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
[
]Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

Having said that…
http://i1224.photobucket.com/albums/ee380/jeffce74/vegeta_zps7f4345cf.gif
Let’s get going!!

Please run Malwarebytes again and remove that entry that is being detected and the post the new log.

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

[*]Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here )
[*] Double click dds to run the tool.
[*]When done, two DDS.txt’s will open.
[*]Save both reports to your desktop.

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt

http://i1224.photobucket.com/albums/ee380/jeffce74/TDSK.jpg
Please download TDSSKiller

[*]Double click TDSSKiller.exe
[*]Press Start Scan but do nothing else as we are just looking for what is there.
[*]If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
[*]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)

Hi Jeff,
Thanks for the prompt reply.I have noted and understand your notes,been here done that with Essex boy not that long ago with my PC.
Logs attached as requested.

http://i1224.photobucket.com/albums/ee380/jeffce74/RegistryIcon_zps289d6da1.png
Tweaking.com Registry Backup

[]Download the tool found here to your Desktop so it is easy to find.
[
]Double click on the file you just downloaded to install it to your system.

[*]Once the tool is installed, double-click on the Tweaking.com Registry Backup icon
Note The tool should automatically open to the Backup Registry tab.

http://i1224.photobucket.com/albums/ee380/jeffce74/TweakingcomRegBackup_zpsd4be1488.jpg

[*]Press Backup Now
[*]When the back up is complete, the tool will tell you that Successful / Files Backed Up
[*]You have now successfully backed up your Registry.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:[b]64bit:[/b] - HKLM..\Run: []  File not found
O4 - HKU\S-1-5-21-2601538084-2854319939-2143446311-1001..\Run: [73ca7] C:\Users\bandk\AppData\Roaming\65dc\73ca7.js ()
O4 - Startup: C:\Users\bandk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\218.js ()
O33 - MountPoints2\{10b46dd6-8fa3-11e2-be77-4c72b9adc60d}\Shell - "" = AutoRun
O33 - MountPoints2\{10b46dd6-8fa3-11e2-be77-4c72b9adc60d}\Shell\AutoRun\command - "" = "E:\AutoRun.exe"
O33 - MountPoints2\{2faed953-8b5e-11e2-be71-4c72b9adc60d}\Shell - "" = AutoRun
O33 - MountPoints2\{2faed953-8b5e-11e2-be71-4c72b9adc60d}\Shell\AutoRun\command - "" = "E:\AutoRun.exe"
O33 - MountPoints2\{2faedb25-8b5e-11e2-be71-4c72b9adc60d}\Shell - "" = AutoRun
O33 - MountPoints2\{2faedb25-8b5e-11e2-be71-4c72b9adc60d}\Shell\AutoRun\command - "" = "G:\AutoRun.exe"
O33 - MountPoints2\{2faedb6f-8b5e-11e2-be71-4c72b9adc60d}\Shell - "" = AutoRun
O33 - MountPoints2\{2faedb6f-8b5e-11e2-be71-4c72b9adc60d}\Shell\AutoRun\command - "" = "E:\AutoRun.exe"
O33 - MountPoints2\{9a0c2c0d-8b5d-11e2-be75-4c72b9adc60d}\Shell - "" = AutoRun
O33 - MountPoints2\{9a0c2c0d-8b5d-11e2-be75-4c72b9adc60d}\Shell\AutoRun\command - "" = "E:\AutoRun.exe"
O33 - MountPoints2\{9b542469-fd69-11e1-be6f-806e6f6e6963}\Shell\AutoRun\command - "" = "D:\Start.exe"
O33 - MountPoints2\{9b542469-fd69-11e1-be6f-806e6f6e6963}\Shell\Install\Command - "" = D:\Start.exe
[2013/06/18 10:46:14 | 000,000,000 | -HSD | C] -- C:\Users\bandk\AppData\Roaming\65dc
[2013/06/18 10:46:14 | 000,000,000 | -HSD | C] -- C:\6470d

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Sorry to take so long to get back to you.
Between renovations at home and mid year stock take at work,time has been a bit tight.
OTL log after fix is attached as requested

Hi,

No problem for any delay. :slight_smile:

How is your system running?

The system seems to be running ok at this stage.No problems opening any of the programs,including MalwareBytes,and no noticeable issues with the overall operation.
Kym

Good…let’s check for anything else hiding in there.

http://i1224.photobucket.com/albums/ee380/jeffce74/mbam-3.jpg
Malwarebytes

Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
[*]Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.[*] Turn off the real time scanner of any existing antivirus program while performing the online scan[*]Tick the box next to YES, I accept the Terms of Use.[*]Click Start[*]When asked, allow the activex control to install[*]Click Start[*]Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.[*]Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.[*]Click Scan[]Wait for the scan to finish[]When the scan is done, if it shows a screen that says “Threats found!”, then click “List of found threats”, and then click “Export to text file…”[] Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.[]Close the ESET online scan, and let me know how things are now.

Hi Jeff,
Everything seems to be running fine at the moment. The only issue I am having is the Norton 360 critical updates will not load, but I am not sure if that is related to the issue at hand or a Norton problem.
The logs are attached as requested.
Regard’s,
Kym

Everything is looking good.

You might try a reinstall of Norton 360 if you have the license key?? If so, give that a try and let me know how your system is running. :slight_smile:

what about
C:\Users\bandk\AppData\Roaming\uTorrent\uTorrent.exe a variant of Win32/Bunndle application
C:\Users\bandk\Downloads\uTorrent-3.3.exe a variant of Win32/Bunndle application
anything bundled or loaded by this program

and is Norton 360 being used as an AV
are you also running Avast?

I have a licence key for the Norton,it is a genuine version that came with the laptop.
Looks like the grandkids have been using U Torrent when they have been visiting as it is not a program I would normally use.
Will re-install Norton when I can find the disk,we are in the middle of renovations and everything is packed away in boxes.
I am not running Avast on the laptop,only the pc, I have come here for help because the infection I thought I had on the laptop came from the same source as the infection on the pc,which essexboy sorted out for me several months ago.
If Jeff thinks I should uninstall U Torrent then I will. I will await further advice.

Hi,

what about C:\Users\bandk\AppData\Roaming\uTorrent\uTorrent.exe a variant of Win32/Bunndle application C:\Users\bandk\Downloads\uTorrent-3.3.exe a variant of Win32/Bunndle application anything bundled or loaded by this program
As you can see in the following link, these entries are not necessarily bad. >>> http://www.systemlookup.com/search.php?type=filename&search=uTorrent.exe&s=

Now I would never recommend the use of torrents because even though the site and the download software might be fine, the software you are downloading from the site via Peer-to-Peer (P2P) could, and normally does, contain malicious content. I would go ahead and remove uTorrent from the system completely.

As for Norton…do you happen to know if possibly the license has expired? If it expired than the updates for the software would cease. If you happen to find that it did expire, I would recommend Avast as a new antivirus program. :slight_smile:

U Torrent has been uninstalled.
I do not have a user account with U Torrent,as for the grand kid’s,I have no idea,that is up to their parents to worry about.
The Norton still has 9 months to run,it came with the laptop as part of the deal, so
when I find the disc I will run a repair and see if that fixes the problem.
Regard’s,
Kym

not a torrent user account
a Windows user account separate from the administrator account which you use most all the time except when doing system maintenance
harder for the badguys to get to your system that way
do some research on locking down your system,
if the grandkids have their own user account you can prevent them from downloading rogue software

Hi,

The Norton still has 9 months to run,it came with the laptop as part of the deal, so when I find the disc I will run a repair and see if that fixes the problem.
If you are not able to do any updates with Norton than you need to really limit your internet usage to only necessary places that you need to visit. Without those updates, your system will become less and less secure as more and more variants of infections are created every day. Until I could find the Norton disk to see if a repair of it is possible, I would (if it were my system) remove it completely and put on an antivirus that can be updated. That is just my opinion.

How is your system running otherwise??

OP
windows has an easy to set up “guest” user- perfect for the grandkids
put a good password on your account and do NOT give it to them
as stated in the previous post you are vulnerable
if doing financials, on line bill pay etc change your passords
you can uninstall norton, RUN THE NORTON REMOVAL TOOL and install AVAST, update and run a scan
I’d also go to
http://forum.avast.com/index.php?topic=53253.0 and bookmark it for future use
you might want to do some baseline scans and save the results .txt files in a special folder
Even if you repair norton you should run update to get the latest version
It is possible, however, that malware is blocking norton
BVVC
comments jeff?

Hi,

It is possible, however, that malware is blocking norton BVVC comments jeff?
It is possible that malware is blocking the Norton updates but I think we would have seen that already.
How is your system running otherwise??
:)

Apart from the Norton update problem everything seems to be running fine.
Will hunt for the disk over the weekend and run a repair.
At the moment we are limiting internet usage anyway as we are both fairly busy at the moment with little time to go online except at work.
Will set up a user account for the grand kids anyway,just to be on the safe side.
Kym

Sounds great!! Good to hear. I will go ahead and give you some clean-up procedures and good information for system security.

Providing there are no other malware related problems…

http://i149.photobucket.com/albums/s64/mxyzptlk1214/Vegeta.gif
IT APPEARS THAT YOUR LOGS ARE NOW CLEAN

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

http://i1224.photobucket.com/albums/ee380/jeffce74/OTL.jpg
Clean up with OTL:

[*]Right-click and Run as Administrator OTL.exe to start the program.
[*]Close all other programs apart from OTL as this step will require a reboot
[*]On the OTL main screen, press the CLEANUP button
[*]Say Yes to the prompt and then allow the program to reboot your computer.


Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren’t cluttering up your desktop. If you did not have Malwarebytes Antimalware before, I would keep it and run it weekly.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:

[*]From within Internet Explorer click on the Tools menu and then click on Options.
[*]Click once on the Security tab
[*]Click once on the Internet icon so it becomes highlighted.
[*]Click once on the Custom Level button.
[*]Change the Download signed ActiveX controls to Prompt
[*]Change the Download unsigned ActiveX controls to Disable
[*]Change the Initialize and script ActiveX controls not marked as safe to Disable
[*]Change the Installation of desktop items to Prompt
[*]Change the Launching programs and files in an IFRAME to Prompt
[*]Change the Navigate sub-frames across different domains to Prompt
[*]When all these settings have been made, click on the OK button.
[*]If it prompts you as to whether or not you want to save the settings, press the Yes button.
[*]Next press the Apply button and then the OK to exit the Internet Properties page.

2. FireFox If you use Firefox, I recommend installing the following add-ons to help make your Firefox browser more secure:
NoScript
AdBlock Plus

3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. **There are firewalls that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free
Agnitum Outpost Firewall Free

5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

6. WOT (Web of Trust) As “Googling” is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT’s color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

7. Finally, I strongly recommend that you read Miekiemoes’ great advice How to prevent malware.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.