Suspected rootkit activity; removal attempts creating odd results. Help?

Viruses and worms
1

Hey guys…

I suspect I’ve got some kind of rootkit hidden away somewhere in my system, but I can’t be sure. Let’s go over this from the beginning, and I hope it makes sense.

Before we start, system details:

Windows 8.1
Running Avast! Pro antivirus (most recent version)

Now then…

I noticed something was rather amiss a couple of weeks back, when all of a sudden I was unable to access any of the following websites:
http://www.google.com/
http://www.google-analytics.com/
http://apis.google.com/
http://www.youtube.com/
http://www.wikipedia.org/

This was extremely odd, not least because my browser (Google Chrome) was perfectly well able to run a web search, I suspect, via http://www.google.com.au. As you can imagine, being unable to access Google Analytics and the apis server made a fair few websites look rather odd or become extremely slow to access.

A ping got absolutely nowhere with any of these websites (although it was still able to obtain an IP for them nonetheless), and a tracert would not even get to the first jump. However, any other server would work just fine. I only discovered wikipedia didn’t work when attempting to figure out what the hell was going on.

At the suggestion of a friend, I went hunting for some anti-rootkit tools. The results were… interesting, to say the least. Running Kaspersky’s TDSSKiller program with the option to scan objects currently loaded into memory found a “hidden service” that was unlisted everywhere. TDSSKiller listed it as a “medium risk”, but as far as I could tell it shouldn’t be there. I removed it. Now… it got weirder. Upon a reboot, as suggested by the program, it scanned again, and found another hidden service, apparently of the exact same type… except it had a different name. Six reboots later, it seemed to just keep going. It would alternate between two kinds of names – both 8-digit strings of numbers, either beginning with a “1” or a “6”. The most recent instance of this thing I got rid of was called “17946652.sys”.

Upon rebooting the first time, I was again able to access these websites, but as the tool kept finding these hidden services, I reasoned that it could simply come back at pretty much any opportunity. Using GMER, I determined that the only other apparent suspicious processes were those from Avast! itself. To be on the safe side, I downloaded Avast!'s uninstall tool, booted into Safe Mode and removed Avast! entirely. A quick scan with TDSSKiller confirmed that after one further reboot, the suspicious .sys file had not yet returned, and I was again able to access the previously unresponsive websites. Problem solved, right? Nope.

Now, a week after that last sequence of events, the symptoms began anew – once again, I had trouble accessing the above listed websites. And again, it did not appear to affect any other websites, and I have confirmed both with other people and online tools that the websites are not actually down. A further scan with TDSSKiller found the most recent instance of the suspicious .sys file (which has been removed). A noticed oddity is that removing this file appears to result in a Code 19 error for my Blu-Ray disc drive. If it is a rootkit, which I am still a little uncertain of, it appears it might have infected the drivers or firmware of my disc drive.

That’s all I know. Any ideas? This just gets weirder and weirder. I suspect the rootkit was already present prior to upgrading to Windows 8, which was shortly before noticing something seemed to be amiss.

EDIT: A brief registry fix for the disc drive appears to have fixed the disc drive temporarily (at least the error is no longer showing). As far as I can tell, it seems to be all okay, but this situation is so decidedly odd I think it best to check things over at least six times.

2

Please follow these instructions: http://forum.avast.com/index.php?topic=53253.0

3

AdwCleaner report attached. Will update this post as I run the other tools.

EDIT: MBAM log appears to be clean. Attached.

EDIT: OTL Logs attached.

I think that was it for the general scan tools… the last doesn’t work on Win8 yet, apparently.

4

also attach aswMBR log…

5

The sticky says it does not work on Windows 8. I should mention that other tools I have previously used to scan the MBR have come up with a resounding negative – TDSSKiller and GMER among them.

EDIT: Attempted running aswMBR nonetheless, the program crashed before completing a scan.

6
The sticky says it does not work on Windows 8. I
correct...missed your OS

malware removers are notified, it may take some hours before on is online…

7

Hi,
Rootkit (on kernel level) is less likely for Windows 8.1. I’ve believe that avast has posted you some detection (FP?) and then you listened to a friend who also does not get in enough in this stuff and you’re allowed to TDSSKiller to kill all legitimate driver that is flagged just as suspicious.
Please attach here all TDSSKiller reports. And this “17946652.sys” looks like Kaspersky driver. We shall preform checks …

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

8

Aye, I’m mainly worried that it’s a leftover from Win7. Something the installer couldn’t remove, or something. The fact that I was unable to access those websites is somewhat worrying, though, as is the fact I was inexplicably able to access them again with the odd file removed (also, it is odd that the tool would pick up its own driver as suspicious).

TDSSKiller Logs:
https://dl.dropboxusercontent.com/u/42485542/Logs/TDSSKiller.3.0.0.16_03.11.2013_15.38.10_log.txt
https://dl.dropboxusercontent.com/u/42485542/Logs/TDSSKiller.3.0.0.16_03.11.2013_15.46.34_log.txt
https://dl.dropboxusercontent.com/u/42485542/Logs/TDSSKiller.3.0.0.16_03.11.2013_16.10.32_log.txt
https://dl.dropboxusercontent.com/u/42485542/Logs/TDSSKiller.3.0.0.16_03.11.2013_16.30.07_log.txt
https://dl.dropboxusercontent.com/u/42485542/Logs/TDSSKiller.3.0.0.16_03.11.2013_17.33.00_log.txt
https://dl.dropboxusercontent.com/u/42485542/Logs/TDSSKiller.3.0.0.16_11.11.2013_10.38.03_log.txt
https://dl.dropboxusercontent.com/u/42485542/Logs/TDSSKiller.3.0.0.16_11.11.2013_15.29.06_log.txt

I’ll attach the Farbar logs when it’s done scanning.

EDIT: Farbar logs attached.

9

Hi,
Haw you ever been used AVZ (AntiViralToolkit) or some other Kaspersky product?

I wanna collect some additional info via FRST:

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


File: C:\Windows\system32\Drivers\SMR410.dat
File: C:\Windows\system32\prfh0804.dat
File: C:\Windows\system32\perfc010.dat

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

10

From memory, TDSSKiller is a Kaspersky product itself, but apart from that I cannot recall ever using a Kaspersky product, no.

Fixlog attached :slight_smile:

11

Ok, now run this script:

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Unlock: C:\Windows\system32\Drivers
Unlock: C:\Windows\system32
C:\Windows\system32\Drivers\SMR*.dat
C:\Windows\system32\prfh*.dat
REG: reg export HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\74171204.sys C:\Users\Joel\Desktop\export.reg

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

=> Also on your desktop should appear file named export.reg. Please attach that file here.

12

O-kay, that quickly went pear-shaped. FRST informed me it was going to restart the system to finish the fix, but it seems windows 8 didn’t survive the process intact. It booted into Windows 8, and then hung on a black screen for more than half an hour. The speakers popped softly a few times, which struck me as a little odd, but most likely nothing of consequence, I expect. As I don’t have another computer to hand, I rebooted and brought up System Restore via win8 DVD. The only restore point I had was one made earlier this day – shortly before first posting here, actually. This seems to have gotten Windows working again for the time being.

The fixlog.txt file is intact, and has been attached, but the export.reg file is nowhere to be found (despite Windows’ assurances that my documents would be unaffected by the restore, and also despite the fixlog reporting that the reg file had indeed been created)… so apologies for that. :frowning:

13

Hm…that’s weird. As next step I would like you to run ESET Online Scan. The time scanning may easily be 4 hours. Therefore you may use this scan when you don’t need to use computer.

Please go to here to run the online scannner from ESET.
http://www.eset.com/int/home/products/online-scanner/

Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to [b]YES, I accept the Terms of Use.[/b]
Click [b]Start[/b]
When asked, allow the activex control to install
Click [b]Start[/b]
Make sure that the option [b]Remove found threats[/b] is [b]unticked[/b]

Click on [b]Advanced Settings[/b] and ensure these options are ticked:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Click Scan
Wait for the scan to finish
If any threats were found, click the ‘List of found threats’ , then click Export to text file…
Save it to your desktop, then please copy and paste that log as a reply to this topic. I’ll let you know if anything needs to be removed.

Re-run FRST, just hit Scan button and post me fresh FRST.txt logreprot.

14

Alright, I’ll let it run while I sleep then. I’ll be back in the morning with the log. Many thanks for all your help so far :3

15

Okay, most of these are stuff I had some knowledge of, but here we go.

C:\Program Files (x86)\Cheat Engine 6\cheatengine-i386.exe	a variant of Win32/HackTool.CheatEngine.AB application
C:\Program Files (x86)\Cheat Engine 6\dbk32.sys	probably a variant of Win32/HackTool.CheatEngine.AA application
D:\$RECYCLE.BIN\S-1-5-21-1713612370-2308834227-4239393143-1001\$R9CT4CK.exe	a variant of Win32/Bundled.Toolbar.Ask.D application
D:\$RECYCLE.BIN\S-1-5-21-1713612370-2308834227-4239393143-1001\$ROTS7VP.exe	Win32/OpenCandy application
D:\$RECYCLE.BIN\S-1-5-21-1713612370-2308834227-4239393143-1001\$RS4YXTX.exe	Win32/Toolbar.Zugo application
D:\$RECYCLE.BIN\S-1-5-21-1713612370-2308834227-4239393143-1001\$RSPQ461.exe	a variant of Win32/Bundled.Toolbar.Ask application
D:\$RECYCLE.BIN\S-1-5-21-1713612370-2308834227-4239393143-1001\$RC0LISR.3-ShortFuse\Exploits\psneuter	Android/Exploit.Lotoor.AK trojan
D:\$RECYCLE.BIN\S-1-5-21-1713612370-2308834227-4239393143-1001\$RC0LISR.3-ShortFuse\Exploits\zergRush	Android/Exploit.Lotoor.AN trojan
D:\$RECYCLE.BIN\S-1-5-21-632080001-1409607558-1512484945-1000\$R44W4GN\MtkDroidTools\files\zR	Android/Exploit.Lotoor.DH trojan
D:\Adobe CS6 Master Collection\Adobe CS6 Master Collection\Crack\crack\cs6.patch.exe	a variant of Win32/HackTool.Patcher.BD application
D:\Downloads\exe\CheatEngine60.exe	multiple threats
D:\Downloads\exe\MtkDroidTools_v248.exe	Android/Exploit.Lotoor.DH trojan
D:\Downloads\exe\musicnotesSuite.exe	Win32/OpenCandy application
D:\Downloads\exe\SetupRevengeOfTheTitansHIB-1810.exe	a variant of Win32/Packed.MoleboxVS.B application
D:\Downloads\torrent\Completed\Software\SibeliusAuralia4\SibeliusAuralia4\Sibelius - auralia 4.0.1.10 new version\auralia.4.0.1.10-patch.exe	Win32/HackTool.Patcher.A application

EDIT: Also discovered that somehow or other the device drivers for my computer’s speakers appeared to have become corrupted (thus the weird soft popping from them, I guess). I’ve uninstalled and reinstalled the drivers after discovering that they simply refused to work at all, which appears to have fixed that issue for now. Not certain if this was due to your fix or the system restore, but weird all the same.

16

ESET didn’t find any malware. All detected shuff are caught up via heuristic.

Empty recycle bin.

Post me fresh created FRST.txt log so I may confirm that you are malware free.

17

Sure… here we go :slight_smile:

18

I would say that you are malware free. Please not that Windows 8.1 is freshly OS.
Nor is it easy to malware writers to hide malware besides the usual routine counts as Windows 8.1 uses fresh initialing …

By reading FRST logs and comparing the loaded files, I would say that you mashine is clean and that your problems isn’t malware related.

19

That’s good to hear. Thankyou very much indeed :slight_smile:

Guess I’ll do a proper inventory check and make sure there aren’t any programs messing things up, device drivers okay, etc. then.

Thanks for going over all that for me :smiley:

20

Let’s remove used tools:

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.