struggling to remove rootkit

Some help needed please: Avast picked up a rootkit on my machine. Am running Windows XP SP3.
Malwarebytes does not pick anything up.
aswMBR does pick it up (see attached logs) but the “fix” button is grayed out
TDSSKiller picks it up but only gives option to “skip”, “copy to quarantine” or “restore”

I also ran SAV32cli.exe in safe mode with command prompt and it picked up some other malware as well (or maybe it related?) and removed the files successfully:
Mal/Packer
Mal/EncPK-BA
Mal/Keygen-G
MBshSpy.ocx

It said it could not open these system32\driver\ files (not sure if relavent):
dtsci.sys
sptd.sys
sptd3693.sys

Avast, aswMBR and TDSSKiller all still pick up the rootkit

I have run OTS and attached the log in next post. Thanks in advance x

here is the OTS log

I have ask someone to take a look at your logs.

Could you post the AWMbr log please whilst I check out OTS

Hi you have been using an infected USB drive - The aswmbr log should tell me whether it is a TDL4 infection or mebroot, they need a different fix for each

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-527237240-1757981266-682003330-1003\] > -> HKEY_USERS\S-1-5-21-527237240-1757981266-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{51D81DD5-55B7-497F-95DB-D356429BB54E}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Program Files\Bonjour\mDNSResponder.exe" -> [C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour]
YN -> "C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat" -> [C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:*:Disabled:The Battle for Middle-earth(tm) II]
YN -> "C:\Program Files\MSN Messenger\livecall.exe" -> [C:\Program Files\MSN Messenger\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)]
YN -> "C:\Program Files\MSN Messenger\msnmsgr.exe" -> [C:\Program Files\MSN Messenger\msnmsgr.exe:*:Disabled:Windows Live Messenger 8.1]
YN -> "C:\Program Files\NETGEAR\WNA1100\WNA1100.exe" -> [C:\Program Files\NETGEAR\WNA1100\WNA1100.exe:*:Disabled:NETGEAR WNA1100 Smart Wizard]
YN -> "C:\Program Files\Soulseek\slsk.exe" -> [C:\Program Files\Soulseek\slsk.exe:*:Disabled:SoulSeek]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{307e57f0-06f7-11de-92bd-001a4d73d61d}\Shell\AutoRun\command -> 
YN -> \{307e57f0-06f7-11de-92bd-001a4d73d61d}\Shell\AutoRun\command\\"" -> [RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe]
YN -> \{307e57f0-06f7-11de-92bd-001a4d73d61d} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{307e57f0-06f7-11de-92bd-001a4d73d61d}\Shell\open\command -> 
YN -> \{307e57f0-06f7-11de-92bd-001a4d73d61d}\Shell\open\command\\"" -> [RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe]
YN -> \{3485d63c-f2e5-11de-9384-001a4d73d61d} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3485d63c-f2e5-11de-9384-001a4d73d61d}\Shell\AutoRun\command -> 
YN -> \{3485d63c-f2e5-11de-9384-001a4d73d61d}\Shell\AutoRun\command\\"" -> [E:\IASGJ\OKIAH\boP.exe]
YN -> \{3485d63c-f2e5-11de-9384-001a4d73d61d} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3485d63c-f2e5-11de-9384-001a4d73d61d}\Shell\open\command -> 
YN -> \{3485d63c-f2e5-11de-9384-001a4d73d61d}\Shell\open\command\\"" -> [E:\IASGJ\OKIAH\boP.exe]
YN -> \{36310c20-a4d5-11dd-9271-001a4d73d61d} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{36310c20-a4d5-11dd-9271-001a4d73d61d}\Shell\AutoRun\command -> 
YN -> \{36310c20-a4d5-11dd-9271-001a4d73d61d}\Shell\AutoRun\command\\"" -> [E:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe]
YN -> \{36310c20-a4d5-11dd-9271-001a4d73d61d} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{36310c20-a4d5-11dd-9271-001a4d73d61d}\Shell\open\command -> 
YN -> \{36310c20-a4d5-11dd-9271-001a4d73d61d}\Shell\open\command\\"" -> [E:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe]
YN -> \{92a20035-e880-11dd-9290-001a4d73d61d} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{92a20035-e880-11dd-9290-001a4d73d61d}\Shell\AutoRun\command -> 
YN -> \{92a20035-e880-11dd-9290-001a4d73d61d}\Shell\AutoRun\command\\"" -> [E:\bwpncb6.com]
YN -> \{92a20035-e880-11dd-9290-001a4d73d61d} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{92a20035-e880-11dd-9290-001a4d73d61d}\Shell\explore\Command -> 
YN -> \{92a20035-e880-11dd-9290-001a4d73d61d}\Shell\explore\Command\\"" -> [E:\bwpncb6.com]
YN -> \{92a20035-e880-11dd-9290-001a4d73d61d} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{92a20035-e880-11dd-9290-001a4d73d61d}\Shell\open\Command -> 
YN -> \{92a20035-e880-11dd-9290-001a4d73d61d}\Shell\open\Command\\"" -> [E:\bwpncb6.com]
YN -> \{a46437b8-eb42-11de-9383-001a4d73d61d} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a46437b8-eb42-11de-9383-001a4d73d61d}\Shell\AutoRun\command -> 
YN -> \{a46437b8-eb42-11de-9383-001a4d73d61d}\Shell\AutoRun\command\\"" -> [eej2.exe]
YN -> \{a46437b8-eb42-11de-9383-001a4d73d61d} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a46437b8-eb42-11de-9383-001a4d73d61d}\Shell\open\Command -> 
YN -> \{a46437b8-eb42-11de-9383-001a4d73d61d}\Shell\open\Command\\"" -> [eej2.exe]
YN -> \{ed78ff36-1647-11de-92d7-001a4d73d61d} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ed78ff36-1647-11de-92d7-001a4d73d61d}\Shell\AutoRun\command -> 
YN -> \{ed78ff36-1647-11de-92d7-001a4d73d61d}\Shell\AutoRun\command\\"" -> [F:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe]
YN -> \{ed78ff36-1647-11de-92d7-001a4d73d61d} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ed78ff36-1647-11de-92d7-001a4d73d61d}\Shell\open\command -> 
YN -> \{ed78ff36-1647-11de-92d7-001a4d73d61d}\Shell\open\command\\"" -> [F:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe]
[Files/Folders - Modified Within 30 Days]
NY ->  -1 -> C:\WINDOWS\System32\-1
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

There is an aswmbr.txt file attached in the first post, is that the one ?

Yep just going blind I feel ::slight_smile:

Once the OTS fix is run we will look at the rootkit

Here is the OTS log after running fix :slight_smile: thanks so much

I have have another question - the only usb device I have connected to this machine for some time is my external drive, so I guess there is a very good chance the rootkit came from there. Once the rootkit has been fixed (it’s still there) will Avast detect it and remove it if I scan the drive? Or do I stand a chance of being reinfected if I connect it to my PC again? Heh, I really don’t want to have to go through this again :-[

I do have access to a mac - if I scanned it from the mac would it detect any PC viruses without risking infection?

What you can do is scan the USB drive with Avast

But lets now take a closer look at the rootkit as shown by TDSSKiller

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

combofix log attached

No indication of a rootkit there - when this run is completed could you re-run TDSSKiller please and post the log it generates. That way I can get a proper look at the file. But first lets close some ports

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry:: [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"=- "65533:TCP"=- "52344:TCP"=- "6497:TCP"=- "6498:TCP"=- "7083:TCP"=- "6301:TCP"=- "5911:TCP"=- "3820:TCP"=- "2989:TCP"=- "7973:TCP"=- "4692:TCP"=- "5036:TCP"=- "1567:TCP"=- "1634:TCP"=- "3068:TCP"=-
  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt .

Hi there - here is the 2nd combofix log :slight_smile:
I might have to go out for a while, but I will try to respond asap to your next post, apologies.

No problems as that log looks OK now

still showing up in avast

Could you post the TDSSKiller log please so that I can see the file location and also run GMER - once I have the location I will remove it using a kernel mode tool

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

Caution
These types of scans can produce false positives. Do NOT take any action on any “<— ROOKIT” entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
[*]Click NO
[*]In the right panel, you will see a bunch of boxes that have been checked … leave everything checked and ensure the Show all box is un-checked.
[*]Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
[]Click OK.
[
]GMER will produce a log. Click on the [Save…] button, and in the File name area, type in “GMER.txt
[*]Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Hi here is the TDSSKiller log in the meantime - am downloading and running GMER scanner shortly and will follow instructions.

Thanks again for all this help btw, I know it’s a public holiday and you should prob be chilling, so hope you’re getting some relaxing in between all this trouble shooting, or at least being paid good overtime :wink:

I have just been looking at how TDSSKiller handles this one …

Were you given the option to quarantine and then restore the MBR ?

Copy to quarantine. The utility quarantines the infected MBR. Restore. The utility restores a standard MBR.

yes - so should i copy to quarantine and then restore?

hi
here is the GMER log