Author Topic: Viruses and Worms: Several Rootkits found Doss mode reboot wouldn't work! (Read 4022 times)

Magic Man 1 · « **on:** August 11, 2013, 04:52:16 PM »

Avast foumd several high severity rootkits in regular scan mode. I couldn't move them to the virus chest, delete or repair the infected files. I restarted the computer and Doss scan mode for avast kicked in asking me several options to either delete, delete all, move to chest, move all to chest, repair, repair all, ignore, or ignore all. I tried to delete, move to chest and repair, none worked what do I do? I am now running my computer in safe mode and doing another scan, when the program detects the viruses again, I just need to know what to do next? Thanks to all of you have replied to the other topic that was originally started earlier.

DavidR · « **Reply #1 on:** August 11, 2013, 06:00:39 PM »

Prior information and responses here:
http://forum.avast.com/index.php?topic=132092.0

Magic Man 1 · « **Reply #2 on:** August 12, 2013, 04:20:15 AM »

Sorry for not responding sooner but I have been in and out all day. This is the progress thus far. Please note I could not find another way to attach the report from Malwarebytes other than to copy and paste it. This is all the steps that I have done at this point. There is still something that is attacking this computer. As I am typing Avast has alerted me that something was blocked. Should I do the other steps past this point?

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.11.06

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
Angelo N Dawn :: OUR-OFFICE-DELL [administrator]

Protection: Enabled

8/11/2013 6:15:50 PM
mbam-log-2013-08-11 (18-15-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 227554
Time elapsed: 11 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Angelo N Dawn\Downloads\MapsSetup.exe (PUP.Optional.Inbox) -> Quarantined and deleted successfully.

(end)

2013/08/11 18:13:51 -0400   OUR-OFFICE-DELL   Angelo N Dawn   MESSAGE   Starting protection
2013/08/11 18:13:51 -0400   OUR-OFFICE-DELL   Angelo N Dawn   MESSAGE   Protection started successfully
2013/08/11 18:13:51 -0400   OUR-OFFICE-DELL   Angelo N Dawn   MESSAGE   Starting IP protection
2013/08/11 18:14:46 -0400   OUR-OFFICE-DELL   Angelo N Dawn   MESSAGE   IP Protection started successfully
2013/08/11 18:14:50 -0400   OUR-OFFICE-DELL   Angelo N Dawn   MESSAGE   Starting database refresh
2013/08/11 18:14:50 -0400   OUR-OFFICE-DELL   Angelo N Dawn   MESSAGE   Stopping IP protection
2013/08/11 18:14:53 -0400   OUR-OFFICE-DELL   Angelo N Dawn   MESSAGE   IP Protection stopped successfully
2013/08/11 18:15:06 -0400   OUR-OFFICE-DELL   Angelo N Dawn   MESSAGE   Database refreshed successfully
2013/08/11 18:15:06 -0400   OUR-OFFICE-DELL   Angelo N Dawn   MESSAGE   Starting IP protection
2013/08/11 18:15:19 -0400   OUR-OFFICE-DELL   Angelo N Dawn   MESSAGE   IP Protection started successfully
2013/08/11 18:22:48 -0400   OUR-OFFICE-DELL   Angelo N Dawn   MESSAGE   Executing scheduled update: Daily
2013/08/11 18:22:59 -0400   OUR-OFFICE-DELL   Angelo N Dawn   MESSAGE   Database already up-to-date
2013/08/11 20:07:40 -0400   OUR-OFFICE-DELL   Angelo N Dawn   MESSAGE   Starting protection
2013/08/11 20:07:40 -0400   OUR-OFFICE-DELL   Angelo N Dawn   MESSAGE   Protection started successfully
2013/08/11 20:07:40 -0400   OUR-OFFICE-DELL   Angelo N Dawn   MESSAGE   Starting IP protection
2013/08/11 20:07:46 -0400   OUR-OFFICE-DELL   Angelo N Dawn   MESSAGE   IP Protection started successfully

This is the extras text from OTL, sorry for putting it here but it will not allow me to attach anymore files.

12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 269
seconds with 180 seconds of active time. This session ended with a crash.

Error - 8/11/2013 8:02:08 PM | Computer Name = Our-Office-Dell | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 114
seconds with 60 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 8/11/2013 6:02:20 PM | Computer Name = Our-Office-Dell | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 8/11/2013 6:03:14 PM | Computer Name = Our-Office-Dell | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 8/11/2013 6:03:46 PM | Computer Name = Our-Office-Dell | Source = HTTP | ID = 15016
Description =

Error - 8/11/2013 6:04:42 PM | Computer Name = Our-Office-Dell | Source = Service Control Manager | ID = 7000
Description =

Error - 8/11/2013 6:06:28 PM | Computer Name = Our-Office-Dell | Source = Service Control Manager | ID = 7022
Description =

Error - 8/11/2013 8:05:28 PM | Computer Name = Our-Office-Dell | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 8/11/2013 8:06:21 PM | Computer Name = Our-Office-Dell | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 8/11/2013 8:06:30 PM | Computer Name = Our-Office-Dell | Source = HTTP | ID = 15016
Description =

Error - 8/11/2013 8:07:56 PM | Computer Name = Our-Office-Dell | Source = Service Control Manager | ID = 7000
Description =

Error - 8/11/2013 8:09:26 PM | Computer Name = Our-Office-Dell | Source = Service Control Manager | ID = 7022
Description =

< End of report >

Magic Man 1 · « **Reply #3 on:** August 12, 2013, 06:42:02 AM »

Okay, this is the latest action that I have taken in the step by step process that I have been given. Please see attached. Thanks again for all your help regarding this matter.

MM1

essexboy · « **Reply #4 on:** August 12, 2013, 12:25:03 PM »

Hi what file was detected by Avast as a rootkit

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {ab56dfde-0c14-45b3-9df6-7b0eba617870} - No CLSID value found.
O2 - BHO: (no name) - {EFA17361-CDC0-4927-9AFC-BAAD1F96B2AE} - No CLSID value found.
O3 - HKLM\..\Toolbar: (TotalRecipeSearch) - {a0154e07-2b48-475c-a82a-80efd84ea33e} - C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14bar.dll (MindSpark)
O3 - HKLM\..\Toolbar: (PopularScreensavers) - {f339a07f-9578-412d-85e0-b8a80277151a} - C:\Program Files\PopularScreensavers_7i\bar\1.bin\7ibar.dll (MindSpark)
O3 - HKU\S-1-5-21-3015119447-338064841-221048989-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-3015119447-338064841-221048989-1000\..\Toolbar\WebBrowser: (TotalRecipeSearch) - {A0154E07-2B48-475C-A82A-80EFD84EA33E} - C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14bar.dll (MindSpark)
O3 - HKU\S-1-5-21-3015119447-338064841-221048989-1000\..\Toolbar\WebBrowser: (PopularScreensavers) - {F339A07F-9578-412D-85E0-B8A80277151A} - C:\Program Files\PopularScreensavers_7i\bar\1.bin\7ibar.dll (MindSpark)
O4 - HKLM..\Run: [] File not found
O4 - HKU\S-1-5-21-3015119447-338064841-221048989-1000..\Run: [ConduitFloatingPlugin_nemfjadlboooiffmcelkafilagddogim] "C:\Windows\system32\Rundll32.exe" "C:\Program Files\Conduit\CT3289663\plugins\TBVerifier.dll",RunConduitFloatingPlugin nemfjadlboooiffmcelkafilagddogim File not found
O4 - HKU\S-1-5-21-3015119447-338064841-221048989-1000..\Run: [p5PopularScreensaversWallpaper] C:\Program Files\PopularScreensavers\p5ScrCtr.dll (FunWebProducts.com)

:Files
C:\Users\Angelo N Dawn\AppData\Local\Apps\2.0\2D487A43.561
C:\Program Files\PopularScreensavers
C:\Program Files\Conduit

:Commands
[resethosts]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Magic Man 1 · « **Reply #5 on:** August 13, 2013, 12:58:04 AM »

Hello, sorry for not responding sooner but I have been at work all day, so combating this problem has not been an easy task for me between yesterday and today for that matter. Let me recap here for a moment; after the rootkits were first discovered when it first brought me to the Doss reboot screen. I had called the free tech support shortly thereafter and to be perfectly honest, I didn't think to have that information readily available. Which brings me to the next point, my computer has been off all day while I was at work, so I don't know the condition of it at this time as I am using my laptop to communicate here. I have included all logs thus far except maybe the extended log for OTL (at least I believe it was OTL)...well anyway is there a way to find out by going into Avast archives on that computer to determine what they were? If not what next?

I am a bit frustrated at this point..if my memory serves me correct, I believe one of them was a win32. For the most part, after running the Malwarebytes program it indicated that only ONE was left from that point and that was a PUP32 or something like that. I have included the previous log from that scan as well as others. All I can ask is that if you would please review the attachments previously included and also the text from the screens that I included, if you tell me what to do next, I will follow it to a "T" from here on out I promise! I apologize as this is the first time I have ever had to seek help outside of what I already know.....I am not a techie or savvy atl this stuff. With that being said, that doesn't mean that I am not willing to learn! In advance, thank you again for all your help and assistance, you guys ROCK!!!!!!

MM1

essexboy · « **Reply #6 on:** August 13, 2013, 12:20:08 PM »

The aswboot log will be found here C:\ProgramData\AVAST Software\Avast\log this will show what was detected

If you run the OTL fix that will remove the remnants of the Win32 adware

No problem with questions we thrive on them here

Author Topic: Viruses and Worms: Several Rootkits found Doss mode reboot wouldn't work! (Read 4022 times)

Magic Man 1

Viruses and Worms: Several Rootkits found Doss mode reboot wouldn't work!

DavidR

Re: Viruses and Worms: Several Rootkits found Doss mode reboot wouldn't work!

Magic Man 1

Re: Viruses and Worms: Several Rootkits found Doss mode reboot wouldn't work!

Magic Man 1

Re: Viruses and Worms: Several Rootkits found Doss mode reboot wouldn't work!

essexboy

Re: Viruses and Worms: Several Rootkits found Doss mode reboot wouldn't work!

Magic Man 1

Re: Viruses and Worms: Several Rootkits found Doss mode reboot wouldn't work!

essexboy

Re: Viruses and Worms: Several Rootkits found Doss mode reboot wouldn't work!