Rootkit Infection!

system · March 26, 2011, 8:44pm

Hi

My other computer has a rootkit infection >:(

Avast picked it up, but after a couple of tries, cannot get rid of the beastie.

I’ve followed an earlier thread, have run aswMBR.exe, did a scan, which found the ROOTKIT, then clicked fix and saved the log [below]. I haven’t yet restarted after running aswMBR.exe. I downloaded OTH and OTL as instructed by the thread, but am unsure where to find the scan.txt file that it mentions.

Any ideas where this exists please ?

Here’s the log:


aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-26 20:22:41
-----------------------------
20:22:41.937    OS Version: Windows 5.1.2600 Service Pack 3
20:22:41.937    Number of processors: 1 586 0x204
20:22:41.937    ComputerName: TRACE  UserName: 
20:22:42.781    Initialize success
20:23:04.187    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
20:23:04.187    Disk 0 Vendor: MAXTOR_6L040J2 A93.0500 Size: 38172MB BusType: 3
20:23:04.187    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMAXTOR_6L040J2__________________________A93.0500#3636323232323436323332322020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
20:23:04.187    Device \Driver\atapi -> DriverStartIo 86f4427f
20:23:06.187    Disk 0 MBR read successfully
20:23:06.187    Disk 0 MBR scan
20:23:06.187    Disk 0 TDL4@MBR code has been found
20:23:06.187    Disk 0 MBR hidden
20:23:06.187    Disk 0 MBR [TDL4]  **ROOTKIT**
20:23:06.203    Disk 0 trace - called modules:
20:23:06.203    ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86f44439]<<
20:23:06.203    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f5bab8]
20:23:06.203    3 CLASSPNP.SYS[f75d7fd7] -> nt!IofCallDriver -> [0x86f72f18]
20:23:06.203    \Driver\atapi[0x86f5ed28] -> IRP_MJ_CREATE -> 0x86f44439
20:23:06.218    Scan finished successfully
20:24:02.437    Disk 0 fixing MBR
20:24:12.437    Disk 0 MBR restored successfully
20:24:12.437    Infection fixed successfully - please reboot ASAP

Thanks

Pondus · March 26, 2011, 8:56pm

Any ideas where this exists please ?

I think the log is saved in the same location as you saved OTS

20:24:12.437 Infection fixed successfully - please reboot ASAP

you should also re run aswMBR and this time only click "save log" and post it her

DavidR · March 26, 2011, 9:30pm

The first thing you should do is reboot as the aswMBR report suggests.

If you run any other tools prior to this a) perhaps it might find something and b) could possibly interfere with the work already done.

system · March 26, 2011, 9:57pm

Thanks for the replies.

Ok, rebooted and re-scanned with aswMBR

new log:


aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-26 21:54:23
-----------------------------
21:54:23.203    OS Version: Windows 5.1.2600 Service Pack 3
21:54:23.203    Number of processors: 1 586 0x204
21:54:23.203    ComputerName: TRACE  UserName: 
21:54:23.765    Initialize success
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-26 21:54:23
-----------------------------
21:54:23.203    OS Version: Windows 5.1.2600 Service Pack 3
21:54:23.203    Number of processors: 1 586 0x204
21:54:23.203    ComputerName: TRACE  UserName: 
21:54:23.765    Initialize success
21:55:02.093    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:55:02.093    Disk 0 Vendor: MAXTOR_6L040J2 A93.0500 Size: 38172MB BusType: 3
21:55:04.109    Disk 0 MBR read successfully
21:55:04.109    Disk 0 MBR scan
21:55:06.109    Disk 0 scanning sectors +78156225
21:55:06.203    Disk 0 scanning C:\WINDOWS\system32\drivers
21:55:19.875    Service scanning
21:55:22.468    Disk 0 trace - called modules:
21:55:22.484    ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS 
21:55:22.484    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f85ab8]
21:55:22.484    3 CLASSPNP.SYS[f75d7fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f94d98]
21:55:22.484    Scan finished successfully

Pondus · March 26, 2011, 10:01pm

It looks clean, so now you have to post the OTS log so Essexboy can check and see that all of it is gone

system · March 26, 2011, 10:03pm

Thanks - although I haven’t run OTS or anything else - should I run just OTS now ?

Pondus · March 26, 2011, 10:08pm

yes it is recomeded to save and run it from the desktop and then you will also fin the log there

essexboy · March 26, 2011, 10:24pm

Monitoring - don’t ya just love aswMBR ;D

system · March 26, 2011, 10:26pm

Thanks - I’m running it now and will post the logs when it’s done.

The infected computer is my other computer, connected via LAN. I’m not sure what the source of the rootkit is, should I be worried about my main computer ? At some point on the other computer, a link was clicked [not by me!] that turned out to be one of those spoof AV programs; then lots of redirecting when doing google searches; Is that the likely source, or is it too wide a question ?

Thanks again for your help sorted this, appreciated!

Certainly do!!

system · March 26, 2011, 10:32pm

ok, i’ve got the OTS log, but its huge. SHould I post a part of it, or all of it in a few posts, or is there a way to attach a .txt file ?

I’d left avast running [perhaps I shouldn’t?] and just before OTS finished and brought up the log, avast popped up a ‘threat has been detected’ message.

Pondus · March 26, 2011, 10:34pm

lower left corner > additional options > attach

system · March 26, 2011, 10:44pm

ah, i was looking up top :

OTS log attached … in two parts as it was too big for the max. split at ‘M’. This is part I

THANKS!

system · March 26, 2011, 10:44pm

and part deux [attached]

system · March 27, 2011, 7:48am

Morning

It seems to be ok now - avast isn’t reporting the rootkit anymore and google isn’t being redirected, so I think I’m sorted.

Thanks all for your help! 8)

I’ll d/l MBAM and make sure it’s run once a week as I think I read somewhere.

essexboy · March 27, 2011, 11:51am

;D

Unfortunately the OTS was saved as Unicode and not ANSI - however, if you are happy then fine… Otherwise could you resave the OTS file as ANSI

system · March 27, 2011, 12:20pm

cool, will give it another run and save as ansi later tonight when i’m back.
thanks

system · March 27, 2011, 6:21pm

Hi

Here is the ANSI version of my OTS log [as one file now its ansi].

I’ve haven’t had a recurrence of the ROOTKIT warning from avast, but I did download and run MBAM … er, it discovered 868 threats that needed to be deleted …

ANSI log attached, thanks.

essexboy · March 27, 2011, 7:38pm

Yep looking at that I can see why - did MBAM remove all the IFEO registry settings and the disallow run ones ?

This is a big fix so I will attach it as a text file download it to your desktop

[*]Start OTS
[*] Then press the Run Fix button and a dialogue box will pop up asking for the location - select the fix.txt you downloaded
[*]Then click the Run Fix button at the top

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

system · March 28, 2011, 2:54pm

Hi

Yep - there was a shed load of IFEO settings that MBA found, and 16 [0-15] disallow run ones. All removed now.

Thanks for the sorting a fix file for me, nice one 8)

I’ve run the fix in OTS, and the log is attached.

Thanks again!

system · March 28, 2011, 3:38pm

aswmbr.exe just fixed what Malwearbytes missed. Thanks Avast! support I’m trying your trial version 6

Rootkit Infection!

Announcements