0access rootkit

[joshdnelson]

I discovered a root-kit on my system a few days.  I just built this new system and had yet to set up anti-virus software.  I ran several anti-rootkit programs.  These included Malwarebytes Anti-Rootkit, Windows Malicious Software Removal Tool July 2013, Sophos Anti-Rootkit, Norton Power Eraser and GMER.  All programs identified somewhat different entries and all were able to remove what they found except for Sophos.  At this point Sophos is the only sweep that comes up with positive hits.  To be more specific my current problem is that while Sophos recognizes the infected files, it is not able to remove them.  Once the scan is finished it prompts a restart in order to complete the removal.  When I reboot Sophos after the restart I receive another prompt saying that the same items were not removed and that Sophos requires another restart.  I tried this several times, but with the same result - another request for a reboot.  Thanks for your time.

 

attach.txt

dds.txt

[D-FRED-BROWN]

Hello joshdnelson and welcome to Malwarebytes!

I am D-FRED-BROWN and I will be helping you.

Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.

----------Step 1----------------

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.

  Vista/Windows 7 users right-click and select Run As Administrator.

• If TDSSKiller does not run, try renaming it.
• To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
• Click the Start Scan button.
• Do not use the computer during the scan
• If the scan completes with nothing found, click Close to exit.
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

  Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.

• A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
• Copy and paste the contents of that file in your next reply.

----------Step 2----------------

Please download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

----------Step 3----------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

----------Step 4----------------

Please download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 5----------------

In your next reply, please include the following:

• TDSSKiller's logfile
• MBAR mbar-log.txt and system-log.txt
• ComboFix's report (C:\ComboFix.txt)
• Security Check checkup.txt

After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"

 

-------> Your topic will be closed if you haven't replied within 3 days! <--------

(If I don't respond within 24 hours, please send me a PM)

-DFB

[joshdnelson]

At the moment my computer (appears) to be running fine.  The only issue that I have noticed is that I cannot log on to a particular hotmail account using this computer.  I have access to the account on other computers and can even access different hotmail accounts from this computer.  Once I log in I see that page being redirected to the inbox.  Once the tab displays the name of my address it freezes, showing only a blank page.  This started happening the day that I found the root-kit.  Perhaps it is coincidence.  One final thing.  While I was running ComboFix I received the following error:

Cannot export RegRun200: Error writing the file.  There may be a disk or file system error.

 

Thanks again.

TDSSKiller.2.8.18.0_29.07.2013_16.08.51_log.txt

system-log.txt

mbar-log-2013-07-29 (16-12-03).txt

ComboFix.txt

checkup.txt

[D-FRED-BROWN]

We're making progress.

----------Step 1----------------
Please download AdwCleaner by Xplode onto your desktop.

• Double click on AdwCleaner.exe to run the tool.
• Click on Search.
• A logfile will automatically open after the scan has finished.
• Please post the contents of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[R1].txt as well.

----------Step 2----------------
Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

----------Step 3----------------
We need to create a New FULL OTL Report

• Please download OTL from here if you have not done so already:
  • Main Mirror
• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Click the "Scan All Users" checkbox.
• Change the "Extra Registry" option to "SafeList"
• Push the Run Scan button.
• Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

----------Step 4 (note: this scan may take a little time)----------------I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
• Check
• Click the button.
• Accept any security warnings from your browser.
• Check
• Push the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Push the button.
• Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt


----------Step 5----------------
Please post the AdwCleaner logfile, the JRT.txt, the OTL.txt and Extras.txt, and the ESET online scan log in your next reply.

Let me know how things go.

[joshdnelson]

Everything went well.  I noticed that at least one program deleted/repaired some files so that's encouraging.

 

AdwCleanerR1.txt

Extras.Txt

JRT.txt

log.txt

OTL.Txt

[D-FRED-BROWN]

Looks better. I'm waiting on some clarification regarding a couple entries found in your OTL log. For now, please do the following:

 

Please Launch Malwarebytes' Anti-Malware.

• Please click Check for Updates to see if any updates are found.  If so, please allow MBAM to download and install them.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a location you will remember.
• Copy and Paste that log into your next reply.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK for either of the prompts and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
 

[joshdnelson]

all clear.

 

mbam-log-2013-07-30 (19-15-21).txt

[D-FRED-BROWN]

Still have a little more to do, but we're nearly there.

----------Step 1----------------
We need to run an OTL Fix

• Please reopen on your desktop.
• Copy and Paste the following code into the textbox.
  
  

  :OTL
  [2013/07/26 11:26:54 | 000,002,048 | -HS- | M] () -- C:\Users\Josh Nelson\AppData\Local\Google\Desktop\Install\{f82298d2-b009-617b-ea7a-07f8216b6e1c}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{f82298d2-b009-617b-ea7a-07f8216b6e1c}\@
  [2013/07/24 23:04:50 | 000,000,000 | -HSD | M] -- C:\Users\Josh Nelson\AppData\Local\Google\Desktop\Install\{f82298d2-b009-617b-ea7a-07f8216b6e1c}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{f82298d2-b009-617b-ea7a-07f8216b6e1c}\L
  [2013/07/24 23:04:50 | 000,000,000 | -HSD | M] -- C:\Users\Josh Nelson\AppData\Local\Google\Desktop\Install\{f82298d2-b009-617b-ea7a-07f8216b6e1c}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{f82298d2-b009-617b-ea7a-07f8216b6e1c}\U
  [2009/07/13 22:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
   
  [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
   
  [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
   
  [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
   
  [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
   
  [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
  "" = C:\Windows\SysNative\shell32.dll -- [2013/02/26 23:52:56 | 014,172,672 | ---- | M] (Microsoft Corporation)
  "ThreadingModel" = Apartment
   
  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
  "" = %SystemRoot%\system32\shell32.dll -- [2013/02/26 22:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation)
  "ThreadingModel" = Apartment
   
  [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
  "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 19:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
  "ThreadingModel" = Free
   
  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
  "" = %systemroot%\SysWow64\wbem\fastprox.dll -- [2010/11/20 21:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
  "ThreadingModel" = Free
   
  [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
  "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 19:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
  "ThreadingModel" = Both
   
  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
  
  [18 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
  [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
  
  :Commands
  [purity]
  [emptytemp]
  [emptyjava]
  [emptyflash]
  [Reboot]

• Push
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• A report will open. Copy and Paste that report in your next reply.

----------Step 2----------------
Instructions for DELETE:

• Close all open programs and internet browsers.
• Double click on adwcleaner.exe to run the tool.
• Click on Delete.
• Confirm each time with Ok.
• You will be prompted to restart your computer. A text file will open after the restart.
• Please post the contents of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[s1].txt as well.

Afterwards, please reboot the computer.

----------Step 3----------------
Please post the OTL and AdwCleaner reports in your next reply. How are things running now?

[joshdnelson]

AdwCleanerS1.txt

07302013_203014.log

[joshdnelson]

Things are running well on this end.  I still can't access one particular email account on this computer, while I can on my wife's computer.  Could a rootkit do this?  I have since abandoned the email, but it still makes me a little nervous.

[D-FRED-BROWN]

Possibly. This is a relatively new infection so we still need to do some more digging to verify everything is all clear.

 

We need a new OTL scan:

• Double click on the OTL icon on your desktop.
• Click the "Scan All Users" checkbox.
• Change the "Extra Registry" option to "SafeList"
• Push the Run Scan button.
• Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

[joshdnelson]

OTL.Txt

Extras.Txt

[D-FRED-BROWN]

Go ahead and run ComboFix again- if asked to update to a newer version, please allow it to do so.

Please post the new ComboFix.txt in your next reply.

[joshdnelson]

log.txt

[joshdnelson]

I just realized something new.  When I try to boot Dark Souls on steam I get this error:

Illegal operation attempted on a registry key that has been mark for deletion.

I get the same error while attempting to run other games on steam and MSI Afterburner. 

[D-FRED-BROWN]

Just reboot. Does it still happen?

[joshdnelson]

That worked.  Thanks!

[D-FRED-BROWN]

Sorry for the delay. It appears we still have some more to go.

 

First,
BackupYour Registry with ERUNT

• Please go here, scroll down to ERUNT, and download.
• For version with the Installer:
  Use the setup program to install ERUNT on your computer
• For the zipped version:
  Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your Registry to the folder of your choice.

Note: To restore your Registry, go to the folder and start ERDNT.exe

-------

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

 

KILLALL::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"301548880"=-
"3212083974"=-

Driver::
?etadpug
dzbhmesg
kobotfhf
sbumshcr

File::
c:\windows\system32\drivers\dzbhmesg.sys
c:\windows\SYSNATIVE\drivers\dzbhmesg.sys
c:\windows\system32\drivers\kobotfhf.sys
c:\windows\SYSNATIVE\drivers\kobotfhf.sys
c:\windows\system32\drivers\sbumshcr.sys
c:\windows\SYSNATIVE\drivers\sbumshcr.sys
c:\program files (x86)\Google\Desktop\Install\{f82298d2-b009-617b-ea7a-07f8216b6e1c}\   \...\???\{f82298d2-b009-617b-ea7a-07f8216b6e1c}\GoogleUpdate.exe
c:\program files (x86)\Google\Desktop\Install\{f82298d2-b009-617b-ea7a-07f8216b6e1c}\   \...\???\{f82298d2-b009-617b-ea7a-07f8216b6e1c}\GoogleUpdate.exe

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

[joshdnelson]

ComboFix.txt

[D-FRED-BROWN]

That didn't do the trick it seems. This malware is fairly recent so not all of our tools are updated to eliminate it yet.

 

Let's try something else:

 

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
 

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

 

[joshdnelson]

Rkill.txt

Is this a particularly nasty infection?

[D-FRED-BROWN]

Yeah it's pretty aggressive. Try running Rkill, it should give us some info as to what to look for next

[joshdnelson]

Would you like me to run rkill again?

[D-FRED-BROWN]

My mistake, I didn't see that you uploaded the log in your last post. I'll post the next set of instructions shortly

[D-FRED-BROWN]

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

 

Folder::
C:\Users\Josh Nelson\AppData\Local\Google\Desktop\Install\{f82298d2-b009-617b-ea7a-07f8216b6e1c}

 

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

 

 

 

**Please run RKill again as well and post its new log