Possible Root Kit Infection

[okym]

I was hoping not to have to come back for more help from the experts but it appears that I now have a rootkit infection in my lap top.
To cut a long story short I attached what I thought was a safe USB stick to the laptop,MCShield2,detected malicious code and opened a hidden folder and deleted malware,Norton 360 picked up JS Proslifiken and quarantined it.However instead of right clicking the folders on the USB and deleting,through inatention I left clicked and opened the folder by mistake,something flashed on the screen and,hey presto,things started going haywire.Malwarebytes Pro (paid version) would not open and some functions within the control panel were disabled.
I have attached the logs below and hope someone can help.Malwarebytes works intermittently,sometimes only able to be accessed via chameleon,and initially OTL would only run in safemode.
Any help would be greatly appreciated,again.

[jeffce]

Hi and Welcome!!   

My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

• The fixes are specific to your problem and should only be used for the issues on this machine.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  
• Please reply to this thread. Do not start a new topic.
• If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
• Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

Having said that....      Let's get going!! 
----------

Please run Malwarebytes again and remove that entry that is being detected and the post the new log.
---------

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

• Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here )
  
• Double click dds to run the tool.
  
• When done, two DDS.txt's will open.
  
• Save both reports to your desktop.
  

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt

Attach.txt
----------

Please download TDSSKiller

• Double click TDSSKiller.exe
  
• Press Start Scan but do nothing else as we are just looking for what is there.
  
• If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
  
• Attach the log in your next reply
• A copy of the log will be saved automatically to the root of the drive (typically C:\)
  

[okym]

Hi Jeff,
Thanks for the prompt reply.I have noted and understand your notes,been here done that with Essex boy not that long ago with my PC.
Logs attached as requested.

[jeffce]

Tweaking.com Registry Backup

• Download the tool found here to your Desktop so it is easy to find.
  
• Double click on the file you just downloaded to install it to your system.
• Once the tool is installed, double-click on the Tweaking.com Registry Backup icon
  **Note** The tool should automatically open to the Backup Registry tab.
  
  
  
  
• Press Backup Now
  
• When the back up is complete, the tool will tell you that Successful */* Files Backed Up
  
• You have now successfully backed up your Registry.

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:[b]64bit:[/b] - HKLM..\Run: []  File not found
O4 - HKU\S-1-5-21-2601538084-2854319939-2143446311-1001..\Run: [73ca7] C:\Users\bandk\AppData\Roaming\65dc\73ca7.js ()
O4 - Startup: C:\Users\bandk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\218.js ()
O33 - MountPoints2\{10b46dd6-8fa3-11e2-be77-4c72b9adc60d}\Shell - "" = AutoRun
O33 - MountPoints2\{10b46dd6-8fa3-11e2-be77-4c72b9adc60d}\Shell\AutoRun\command - "" = "E:\AutoRun.exe"
O33 - MountPoints2\{2faed953-8b5e-11e2-be71-4c72b9adc60d}\Shell - "" = AutoRun
O33 - MountPoints2\{2faed953-8b5e-11e2-be71-4c72b9adc60d}\Shell\AutoRun\command - "" = "E:\AutoRun.exe"
O33 - MountPoints2\{2faedb25-8b5e-11e2-be71-4c72b9adc60d}\Shell - "" = AutoRun
O33 - MountPoints2\{2faedb25-8b5e-11e2-be71-4c72b9adc60d}\Shell\AutoRun\command - "" = "G:\AutoRun.exe"
O33 - MountPoints2\{2faedb6f-8b5e-11e2-be71-4c72b9adc60d}\Shell - "" = AutoRun
O33 - MountPoints2\{2faedb6f-8b5e-11e2-be71-4c72b9adc60d}\Shell\AutoRun\command - "" = "E:\AutoRun.exe"
O33 - MountPoints2\{9a0c2c0d-8b5d-11e2-be75-4c72b9adc60d}\Shell - "" = AutoRun
O33 - MountPoints2\{9a0c2c0d-8b5d-11e2-be75-4c72b9adc60d}\Shell\AutoRun\command - "" = "E:\AutoRun.exe"
O33 - MountPoints2\{9b542469-fd69-11e1-be6f-806e6f6e6963}\Shell\AutoRun\command - "" = "D:\Start.exe"
O33 - MountPoints2\{9b542469-fd69-11e1-be6f-806e6f6e6963}\Shell\Install\Command - "" = D:\Start.exe
[2013/06/18 10:46:14 | 000,000,000 | -HSD | C] -- C:\Users\bandk\AppData\Roaming\65dc
[2013/06/18 10:46:14 | 000,000,000 | -HSD | C] -- C:\6470d

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

[okym]

Sorry to take so long to get back to you.
Between renovations at home and mid year stock take at work,time has been a bit tight.
OTL log after fix is attached as requested

[jeffce]

Hi,

No problem for any delay. 

How is your system running? 

[okym]

The system seems to be running ok at this stage.No problems opening any of the programs,including MalwareBytes,and no noticeable issues with the overall operation.
Kym

[jeffce]

Good...let's check for anything else hiding in there.

Malwarebytes

Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

• Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
• Close the ESET online scan, and let me know how things are now.

----------

[okym]

Hi Jeff,
Everything seems to be running fine at the moment. The only issue I am having is the Norton 360 critical updates will not load, but I am not sure if that is related to the issue at hand or a Norton problem.
The logs are attached as requested.
Regard's,
Kym

[jeffce]

Everything is looking good. 

You might try a reinstall of Norton 360 if you have the license key??  If so, give that a try and let me know how your system is running. 

[wyrmrider]

what about
C:\Users\bandk\AppData\Roaming\uTorrent\uTorrent.exe   a variant of Win32/Bunndle application
C:\Users\bandk\Downloads\uTorrent-3.3.exe   a variant of Win32/Bunndle application
anything bundled or loaded by this program

and is Norton 360 being used as an AV
are you also running Avast?

[okym]

I have a licence key for the Norton,it is a genuine version that came with the laptop.
Looks like the grandkids have been using U Torrent when they have been visiting as it is not a program I would normally use.
Will re-install Norton when I can find the disk,we are in the middle of renovations and everything is packed away in boxes.
I am not running Avast on the laptop,only the pc, I have come here for help because the infection I thought I had on the laptop came from the same source as the infection on the pc,which essexboy sorted out for me several months ago.
If Jeff thinks I should uninstall U Torrent then I will. I will await further advice.

[jeffce]

Hi,

what about
C:\Users\bandk\AppData\Roaming\uTorrent\uTorrent.exe   a variant of Win32/Bunndle application
C:\Users\bandk\Downloads\uTorrent-3.3.exe   a variant of Win32/Bunndle application
anything bundled or loaded by this program

As you can see in the following link, these entries are not necessarily bad.  >>>  http://www.systemlookup.com/search.php?type=filename&search=uTorrent.exe&s=

Now I would never recommend the use of torrents because even though the site and the download software might be fine, the software you are downloading from the site via Peer-to-Peer (P2P) could, and normally does, contain malicious content.  I would go ahead and remove uTorrent from the system completely.

As for Norton....do you happen to know if possibly the license has expired?  If it expired than the updates for the software would cease.  If you happen to find that it did expire, I would recommend Avast as a new antivirus program. 

[okym]

U Torrent has been uninstalled.
 I do not have a user account with U Torrent,as for the grand kid's,I have no idea,that is up to their parents to worry about.
 The Norton still has  9 months to run,it came with the laptop as part of the deal, so
when I find the disc I will run a repair and see if that fixes the problem.
Regard's,
Kym

[wyrmrider]

not a torrent user account
a Windows user account separate from the administrator account which you use most all the time except when doing system maintenance
harder for the badguys to get to your system that way
do some research on locking down your system,
if the grandkids have their own user account you can prevent them from downloading rogue software