[Resolved] Rootkit mop-up..

Hello there, thanks in advance for any advice. I’ve been trying to get rid of this rootkit I got on Thursday and I think I’ve gotten rid of most of it this morning, thanks largely to the tips on this forum. I just did an Avast boot scan and came up clean :), but system restore is still not functional and I still see some rogue svchost.exe’s come up in my task manager. Any help in fixing is greatly appreciated. I’ve run TDSSKiller which spotted something and fixed (now scan comes up clean), then I ran aswMBR (log attached), then finally ran OTS (log attached). Awaiting further instructions…

welcome to the forum. Someone will check thoos logs for you and give you further instructions on how to proceed.
Im no expert on them so. but i can suggest you scan with malwarebytes antimalware as a first step will you waiting for answear from the expert on the logs.

http://filehippo.com/download_malwarebytes_anti_malware/

download, install, update, and scan. don’t forget to remove what it finds. a system reboot might be needed.

good luck

It might help to disable system restore and delete your restore points. If you still want to use system restore in the future, then re-enable it. You said “I think I’ve gotten rid of most of it this morning”, how did you do this.

Try to use Malwarebytes’ and post the log
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1

I spoke a little to soon… While trying multiple scans over the weekend, still hunting for the source all those ‘svchost.exe’ hogging my CPU, I found when I woke up yesterday morning I couldn’t boot up. It would get hung up with a black screen and blinking cursor just after the Dell splash screen came up (by the way I’m using a Dell Mini 1012 with XP). I couldn’t even get to safe mode–only the setup menu. So I tried win2flash with a USB drive and was able to boot up once, and I backed up/exported settings and files–everything I could just to be safe. I had decided at that point I should just try to reinstall windows, but I could not because windows couldn’t find my hard drive! After many more attempts at trying different things, I finally had some success with win2flash. From the win2flash formatted USB drive, I got to the menu at bootup and chose the debug partition option (the first one). Although it seemed to freeze halfway through, when I rebooted and chose the same debug option again, it resumed windows to my surprise and began carrying out my chkdsk /f request from the day before! The next time I rebooted (still using win2flash debug option on the USB drive) I was able to see my desktop. I was so damned happy, yet nervous about having to reboot again in order to repair the master boot record… until I remembered reading in this forum that there was a way to repair the MBR using aswMBR without rebooting to Recovery Console. So I went into aswMBR, hit the scan and then hit the fixMBR button (log attached) and it seemed to work as I can now reboot normally. However, before I dance in the streets I’d like to make sure I’m totally clean (just did a malwarebytes scan, log attached, and came up clean). I’m still seeing some rogue ‘svchost.exe’ processes in my task manager (see attached jpg), but they’re not hogging my CPU like last week. I also ran TDSSKiller again (Dom, this caught a rootkit infection last week–that was why I thought I had cleaned it…but I guess it either hadn’t fully cleaned me, or the damage had already been done.) Am I out of the woods yet? I appreciate your help!

Thank you for posting your recent logs. Can you please post a fresh OTS log (make sure it is in ANSI)? Thank you.

I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions and use other tools to remove malware, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily. Please only follow the instructions of Essexboy once he starts your malware removal process. The Avast Evangelists may answer questions in between when he is on the forum.

Please do not make any further changes to your machine after you have provided the logs.

Please let me know if you have any questions. Thank you.

Edit: Essexboy has been notified.

OTS log attached, thanks SafeSurf. I’ll make no other changes until I hear further instructions.

Hi what error do you get when you try system restore ?

Also what are your current problems ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" -> [C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host]
YN -> "C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" -> [C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent]
[Files/Folders - Modified Within 30 Days]
NY ->  g8x4u1837i1s -> C:\Documents and Settings\USER\Local Settings\Application Data\g8x4u1837i1s
NY ->  g8x4u1837i1s -> C:\Documents and Settings\All Users\Application Data\g8x4u1837i1s
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Thanks Essexboy. The last time I tried to restore was on Friday, but every time I tried it would begin the process, finish the restore progress bar then shut down, and then upon reboot it would say “restoration incomplete due to an error” (or something very similar) with no other info. I tried this with about 5 restore points and then gave up on restore and haven’t tried again since.

I did your fix, took about 15 minutes, log attached. The PC got hung up trying to shut down, so after about 7 minutes I powered down. No issues at reboot. Let me know if I should try restore, looks like it’s been deactivated though.

Other than that, no problems with PC to report.

Two points to note from the report

Total Files Cleaned = 2,933.00 mb Error starting restore point: System Restore is disabled.
The amount of temp files indicate why the fix took so long, and the failure to create a restore point caused the hang

Could you go to this MS site and follow the advanced troubleshooting - if you get as far as step 4 could you post the error reports
http://support.microsoft.com/kb/302796

If you have a windows disc we could re-install system restore

I did through step 4 of troubleshooting - in method 1, (using compmgmt.msc) I restarted the service (you’ll see that in the log), and it looked like it was successful. I went through stage 4 of the methods with no flags. Just to test it, I tried to create a restore point and was successful, but it didn’t seem to generate an updated event in the event viewer…

Lets see if a restore point is created

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Custom Items]
[CreateRestorePoint]

Post the results log please

Log attached.

It set one this time - any other problems ?

No problems now… The only thing that still looks odd is that 6 “svchost.exe” processes are still showing up in the task manager. Are these benign? I can live with these if you don’t feel they aren’t a threat.

I am currently running 13 all told - but I do have 8 programmes open at the moment ;D

It isn’t unusual to see multiple instances of svchost.exe, that is its task, acting as a host for other services.

HA! Got it. OK, I’m set then. Thank you again for your assistance. You have saved my life.

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 [Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[ClearAllRestorePoints] 

Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

SPRING CLEAN

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check

http://i1224.photobucket.com/albums/ee362/Essexboy3/Puran.gif

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

In the meantime, here are a few suggestions in addition to the ones given to you by Essexboy to keep you and your machine safer in the future:

  1. Keep your definitions up to date for both Avast and MBAM.
  2. Keep all your shields on with Avast.
  3. Update MBAM prior to scanning, then do Quick scans.
  4. Keep your MS/Windows Updates current.
  5. Add security related Add-on’s to your browsers for safer browsing. See my Signature as an example.
  6. Use common sense when browsing and do not go to risky sites.
  7. When downloading software, read what you are clicking and do not download adware toolbars which are commonly opted in; look before you click or do a Custom install to avoid putting unwanted toolbars on your machine that lead to spyware tracking or adware.
  8. Check to see that your software is up to date with the free Secunia Software Inspector http://secunia.com/vulnerability_scanning/personal/ since software is changing all the time. This site gives you the vendor’s direct download link making it easy to upgrade your software. Many of us here scan our machines weekly.

Please report back to us within 24 - 48 hours to let us know how your machine is running, and you can do your updates as we mentioned in the meantime. If you experience any problems, report back to us immediately. Thank you.

Updates and defrags complete! All still running fine, no problems to report. Thanks a million.