Zero access rootkit - afterwards

[essexboy]

Rogue killer found a few - are you experiencing any other problems ?  There may be remnants which I can check for if you wish


RogueKiller V6.1.8 [11/14/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Burak Yolacan [Admin rights]
Mode: Shortcuts HJfix -- Date : 11/16/2011 19:28:03

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 13 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 60 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 740 / Fail 0
Backup: [NOT FOUND]

Drives:
[A:] \Device\Floppy0 -- 0x2 --> Skipped
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\HarddiskVolume4 -- 0x3 --> Restored
[F:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[G:] \Device\HarddiskVolume5 -- 0x3 --> Restored
[I:] \Device\CdRom0 -- 0x5 --> Skipped
[K:] \Device\HarddiskVolume6 -- 0x3 --> Restored

¤¤¤ Infection :  ¤¤¤

Finished : << RKreport[1].txt >>
RKreport[1].txt


Scan check


Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs

[Kleidophoros]

Both logs attached.

Something I noticed today; I don't really know hot to explain this but it was like pc was hiccuping every 30 seconds or so for about half a second. mouse pointer coming to a halt, screen freezing if I am playing a game/watching a movie. I checked the task manager, nothing funny in processes but I noticed one core of cpu had no load but the other core had some 15% load all the time. It went away after I rebooted the pc. Come to think of it I believe I experienced the same thing some months ago too.

Also I didn't disable the antivirus and eset decided to delete part of my steam library..

Code: [Select]

16.11.2011 23:32:00 Real-time file system protection file C:\Program Files\Steam\steamapps\common\amnesia the dark descent\Launcher.exe probably unknown CRYPT.WIN32 virus deleted - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Documents and Settings\Burak Yolacan\Desktop\OTL.exe.
16.11.2011 23:32:00 Real-time file system protection file C:\Program Files\Steam\steamapps\common\penumbra overture\redist\Penumbra.exe probably unknown CRYPT.WIN32 virus deleted - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Documents and Settings\Burak Yolacan\Desktop\OTL.exe.
16.11.2011 23:32:00 Real-time file system protection file C:\Program Files\Steam\steamapps\common\penumbra black plague\redist\Requiem.exe probably unknown CRYPT.WIN32 virus deleted - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Documents and Settings\Burak Yolacan\Desktop\OTL.exe.
16.11.2011 23:31:59 Real-time file system protection file C:\Program Files\Steam\steamapps\common\penumbra black plague\redist\Penumbra.exe probably unknown CRYPT.WIN32 virus deleted - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Documents and Settings\Burak Yolacan\Desktop\OTL.exe.
16.11.2011 23:31:59 Real-time file system protection file C:\Program Files\Steam\steamapps\common\oddworld abes exoddus\Exoddus.exe probably unknown CRYPT.WIN32 virus deleted - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Documents and Settings\Burak Yolacan\Desktop\OTL.exe.

[essexboy]

You are still infected

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  O4 - HKLM..\Run: [SW20] C:\WINDOWS\system32\sw20.exe ()
  O4 - HKLM..\Run: [SW24] C:\WINDOWS\system32\sw24.exe ()
  O4 - HKLM..\Run: [WinSys2] C:\WINDOWS\system32\WinSys2.exe (TODO: <Company name>
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please allow combofix to install the recovery console

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[Kleidophoros]

Both logs attached.

I don't notice anything funny with the operation of the pc.

[essexboy]

http://www.threatexpert.com/files/winsys2.exe.html - It is a trojan downloader just getting ready to start again

If you are still happy with the system tomorrow let me know and I will remove my tools 

[Kleidophoros]

If we can clean it now I would love to, don't wanna risk it once more.

Also, do you know what this is?

Code: [Select]

[Path][Folder name][File name][Extension][Size]
C:\Documents and Settings\Burak Yolacan\Local Settings\Application Data\BaCkDoOr_SyStEm\s_selector.exe_Url_nbjkdc30iatxpcrp4knjbgtyr1sy2exs0 Byte
C:\Documents and Settings\Burak Yolacan\Local Settings\Application Data\BaCkDoOr_SyStEm\s_selector.exe_Url_nbjkdc30iatxpcrp4knjbgtyr1sy2exs\2.1.0.00 Byte
C:\Documents and Settings\Burak Yolacan\Local Settings\Application Data\BaCkDoOr_SyStEm\s_selector.exe_Url_nbjkdc30iatxpcrp4knjbgtyr1sy2exs\2.1.0.0\user.configconfig372 Byte

Total number of folders = 2
Total number of files  = 1
Sum of file sizes = 372 Byte


[essexboy]

Don't recognise the format - Should be OK to delete them

I feel you are clean now but I would like to wait a bit just to be sure

[Kleidophoros]

I see 2 winsys2.exes on the pc; system32\reinstallbackups\0003\driverfiles and OTL\movedfiles

I will probably not be able to notice it for a while if this thing acts up again; not the main pc and I don't use it much. any programs to scan the pc, say tomorrow or day after, to see if everything's okay?

[essexboy]

Aye and I will also remove the quarantined files

[Kleidophoros]

Uhm sorry but what..?
Nevermind, thank you for the help.

[Kleidophoros]

Sorry for the double post but I need to post an update.

First, got rid of nod32 and installed avast free.
Pc keeps freezing; 5 times now, forcing me to hard reset.
Winrar is acting funny; double clicking an archive runs winrar.exe but can't see the UI. if I double click again I get another winrar.exe; I saw as much as 10 in first attempt to open archive. riht click-extract here extracts the archive but still can't see the UI.
avast is set to scan documents when opening and writing. autosandbox is on but set to ask and didn't ask anything yet.

Also I get a window (C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled) with a shortcut to adobegammaloader.exe inside at startup; its just annoying.
Any help?

[DavidR]

How did you get rid of nod32 ?

There is also a removal tool you might want to try:
ESET/NOD32 Uninstall Tool - http://kb.eset.com/esetkb/index?page=content&id=SOLN2116 Make sure you choose the correct uninstaller for your ESET product and your OS (32bit or 64bit version), right click on the link and select Save As or Save File (As depending on your browser), save it to your desktop.

Also see http://thewebatom.net/uninstallers/security-software/, this has a collection of manufactures removal tools, so that should remove any remnants, registry, etc.

[Kleidophoros]

You didn't check that page for a while did you? There is no uninstaller, just Uninstall-delete a few left over folders.
Ooh it's buried down there under manual uninstall..
Lİnk to eset uninstaller: http://kb.eset.com/esetkb/index?page=content&id=SOLN2289

Second link has the program so I am gonna run it now.

Edit1: Okay uninstalled it completely. Winrar still acting funny, gonna reinstall I guess. Gonna see if pc still freezes too.

Edit2: Winrar back to normal after reinstall. gotta wait for freezes.

[essexboy]

As I say once you are happy let me know and I will remove the tools cleanly