Author Topic: Problem rootkit (Read 9735 times)

barri100 · « **on:** August 19, 2012, 07:10:35 PM »

Problem with rootkit, I have windows7, and I formated the PC with de partition in the PC. in the twice ocations, Avast, tell me that i have a rootkit, and y choose de option to remove, but I think the rootkit are installed in the other partition, differente the C:.
I used aswMBR.exe. i attach de logs.

Thanks in avant

i`m sorry because my english is poor

mikaelrask · « **Reply #1 on:** August 19, 2012, 08:22:04 PM »

hey your English is fine. please follow this guide and attach your logs except aswmbr sens you already have attach it.

http://forum.avast.com/index.php?topic=53253.0

iroc9555 · « **Reply #2 on:** August 19, 2012, 09:21:20 PM »

@Barril100

You said that OTL log is too big so upload it to RapidShare: https://rapidshare.com/

What about MBAM ? Is it clean ? If not, attached log please.

barri100 · « **Reply #3 on:** August 19, 2012, 09:23:13 PM »

The MBAM don´t find nothing.

The log of OTL is this: http://ge.tt/3scL9GM/v/0?c

iroc9555 · « **Reply #4 on:** August 19, 2012, 09:28:39 PM »

Ok I will PM one of the specialist to help you. It could take some time to get help so be patient.

barri100 · « **Reply #5 on:** August 19, 2012, 09:43:33 PM »

OK. Thanks you very much

magna86 · « **Reply #6 on:** August 19, 2012, 10:09:57 PM »

Hi,
I will be working on your Malware issues

> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

How to disable avast:

Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
In the window that opens on the top right corner, click Settings.
In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.

> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.

barri100 · « **Reply #7 on:** August 19, 2012, 10:26:14 PM »

i run, and this I attach the log.

Thanks for you help

magna86 · « **Reply #8 on:** August 19, 2012, 10:50:51 PM »

Hi,

Step1
Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.

Press Start Scan
If Suspicious object is detected, the default action will be Skip, click on Continue.
If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

******************
Step2

Open notepad and copy/paste the text present inside the code box below:

Code: [Select]


DirLook::
c:\programdata\Brother

ClearJavaCache:: 

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

Save this as CFScript.txt

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

iroc9555 · « **Reply #9 on:** August 19, 2012, 10:59:47 PM »

@Barri100

Con TDSSKiller si encuentra algo sospechoso no hagas nada. Si es Malicioso curalo.

Notepad es " Bloc de nota " copia/pega el codigo y guardas el bloc de nota como.... " CFScript.txt "

barri100 · « **Reply #10 on:** August 19, 2012, 11:11:00 PM »

I run TDSSKiller , and don´t find any problems

Attach twice logs.

magna86 · « **Reply #11 on:** August 19, 2012, 11:35:49 PM »

Re-run TDSSKiller.exe and click on Change parametres.
Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
Click on Start Scan.
If an infected file is detected, the default action will be Cure, click on
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

********************

Can you tell me what avast detects as rootkit? Can you attach here some screenshot,anything?

Also, attach here if you have it.
C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt

barri100 · « **Reply #12 on:** August 20, 2012, 12:50:13 AM »

i run with the parameters that you say, and find many suspicious object, and skip.

I attach the log

magna86 · « **Reply #13 on:** August 20, 2012, 12:58:27 AM »

Hi, all detected object are legitimate. So, thats fine.

> Can you look for aswBoot.txt?

Locations:
C:\ProgramData\AVAST Software\Avast\report

I need to see what avast detects as rootkits.

If you do not understand something, feel free to ask me, i'll try to explain

barri100 · « **Reply #14 on:** August 20, 2012, 01:03:49 AM »

Quote from: magna86 on August 20, 2012, 12:58:27 AM

Hi, all detected object are legitimate. So, thats fine.

> Can you look for aswBoot.txt?

Locations:
C:\ProgramData\AVAST Software\Avast\report

I need to see what avast detects as rootkits.
If you do not understand something, feel free to ask me, i'll try to explain

I haven´t this file, and i don´t find the directory "report" in the "C:\ProgramData\AVAST Software\Avast\"
i have find in other directory??

Author Topic: Problem rootkit (Read 9735 times)

barri100

Problem rootkit

mikaelrask

Re: Problem rootkit

iroc9555

Re: Problem rootkit

barri100

Re: Problem rootkit

iroc9555

Re: Problem rootkit

barri100

Re: Problem rootkit

magna86

Re: Problem rootkit

barri100

Re: Problem rootkit

magna86

Re: Problem rootkit

iroc9555

Re: Problem rootkit

barri100

Re: Problem rootkit

magna86

Re: Problem rootkit

barri100

Re: Problem rootkit

magna86

Re: Problem rootkit

barri100

Re: Problem rootkit