Author Topic: Possible rootkit infection? (Read 11884 times)

REDACTED · « **on:** March 18, 2015, 07:32:55 AM »

Hi

My system was detecting some strange virus etc at random interval .. like for instance last detection was like 1/2 hour earlier and the one before that was 5/6days ago and when it happens ... avast keeps detecting this/that(mentioned bellow) for a brief period of time ... I'm using avast free version(latest update). All previous detections(some were detected multiple times):

C:\Users\Public\Favouries\Favourites.bat [Infection= Win32:RmnDrp]
C:\Users\Public\Libraries\Libraries.pif [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\Pictures.exe [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\NVIDIA Corporation\Corporation.bat [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\NVIDIA Corporation\3D Vision Experience\Vision Experience.exe [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\NVIDIA Corporation\3D Vision Experience\3D Vision Preview Pack 1\3D Vision Preview Pack 1.bat [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\Recorded TV\Recorded TV.exe [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\Recorded TV\Temp Rec\Temp Rec.exe [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\Recorded TV\Temp Rec\TemSBE.bat [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\Recorded TV\Temp Rec\Sample Media\Media.bat [Infection= Win32:RmnDrp]
C:\user\public\documents\DELL.exe [Infection= Win32:KillAV-AJZ[TRJ]
C:\user\public\documents\documents.exe [Infection= Win32:RmnDrp]
C:\user\public\documents\downloads\downloads.exe [Infection= Win32:KillAV-AJZ[TRJ]
C:\users\public\public.exe [Infection= Win32:KillAV-AJZ[TRJ]
C:\users\public\documents\dell\musicstage\MusicStage.scr [Infection= Win32:RmnDrp]
C:\users\public\Music\Music.scr [Infection= Win32:GenMalicious-BJV[Trj]

Then I scaned with avast+malewarebytes+supertin+rkill+ProcessExplorer+AdwCleaner+BootkitRemoval(bit defender)+MBAR(malewarebytes anti rootkit)+tdsskiller+ UKV(ultra kirus killer ... and all results the same ... nothing found.

Well so like 5days ago when detections stopped, I thought(hopped) that its gone somehow(stupid iknow) but anyway .. today avast detected again ... and I'm not getting this at all .. I mean the mentioned AV/Security tools above are quite good but they all fail at this .. and even Avast can't seem to detect the cause of this ..

I'm no expert on this but from my understanding .. something keeps recreating(at random interval) the files that avast detects .. and its possibly still in my system (hiding somewhere) .... or someone suggested .. it could be something like a drive by virus/something similar.

Whatever it maybe .. its getting into my system passing all security measures .. usually I have avast+malewarebytes+windwos defender active .. and as mentioned previously .. avast can detect everything(I think) that this specific virus creates .. however it or none of the mentioned security tools can detect the "Root" of this issue.

Any help is much appreciated.

Asyn · « **Reply #1 on:** March 18, 2015, 07:33:54 AM »

Attach your basic logs. (MBAM, FRST and aswMBR..!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0

Pondus · « **Reply #2 on:** March 18, 2015, 07:58:48 AM »

if avast is correct, it seems you have a fileinfector ....
this is often bad news, depending on how far it has spread or avast is able to hold it back, this oftens end with a format C / reinstall

see blog here by Miekiemoes - Director of Research @ Malwarebytes http://miekiemoes.blogspot.no/2009/02/virut-and-other-file-infectors-throwing.html

good or bad news, you find out when essexboy check your logs

REDACTED · « **Reply #3 on:** March 18, 2015, 08:26:37 AM »

Oh man .. I was actually hoping to avoid something like this ...

Lets hope for the best .. because I really don't want to use system recovery disk as it was created when I purchased this laptop .. about 3years ago ...

Anyway scan logs attached

Asyn · « **Reply #4 on:** March 18, 2015, 08:28:28 AM »

OK, now you've to wait a bit...

essexboy · « **Reply #5 on:** March 18, 2015, 04:17:45 PM »

An interesting case this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Quote

CreateRestorePoint:
BHO-x32: No Name -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> No File
BHO-x32: No Name -> {074C1DC5-9320-4A9A-947D-C042949C6216} -> No File
BHO-x32: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
BHO-x32: No Name -> {DA5BCE70-D057-4D63-943D-5F3927EC59F1} -> No File
BHO-x32: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM-x32 - No Name - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - No File
2012-05-05 16:49 - 2012-05-05 16:49 - 0005089 _____ () C:\ProgramData\zjyopzph.wxh
AlternateDataStreams: C:\ProgramData\Microsoft:2UoeFqyreECzLAR8QsFQXn2
AlternateDataStreams: C:\ProgramData\Microsoft:pCeSIRJZiJU7JqQJdh0YNmeg
AlternateDataStreams: C:\Users\MARUF\Cookies:ffxfgs0RQYxOgo4lvR0Yks8Wrc
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks

When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.[/b]

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

REDACTED · « **Reply #6 on:** March 19, 2015, 05:02:31 AM »

I ran both programs as you requested and ComboFix displayed following error on different like 4/5 times before shutting down OS (auto) .. screenshot attached.

essexboy · « **Reply #7 on:** March 19, 2015, 04:14:28 PM »

Could you let me know how the computer is behaving now and is Avast reporting anything

REDACTED · « **Reply #8 on:** March 19, 2015, 05:15:34 PM »

I don't see much changes really .. performance wise.
About avast detection ... it used to happen randomly, as I have mentioned in my first post ... last detection was yesterday and the one before that 5/6days ago ... I suppose we'll have to wait and see(will keep you guys posted).
BTW do you have any suggestions on how do we recreate the event(avast detection) as in make the virus active? .. I really would like to have this thing removed for good.

I have one question though ... I have probably not the best security setup but decent setup or atleast I would like to think so .. my question is: how did thing virus or whatever it is .. get through?

essexboy · « **Reply #9 on:** March 19, 2015, 06:55:39 PM »

As they are in the public folders then I would assume it is to do with a website you have
You can scan the folder with Avast and see if they are still there

REDACTED · « **Reply #10 on:** March 20, 2015, 05:56:18 AM »

Usually when they are auto generated ... avast detects them., right now no detections.

About the website part ... Just wondering ..how is it that avast can detect whatever the website creates within public directory and yet not the "root" of the problem itself(the script that keeps recreating those files at random interval)?

Also as I don't know which site is causing this issue(if infact it is), how do I prevent this from happening again? any suggestions?

essexboy · « **Reply #11 on:** March 20, 2015, 02:14:20 PM »

Might be worth checking the individual website with zuluscaler http://zulu.zscaler.com/ to see if it can detect anything. By web site I mean ones that you control and update

REDACTED · « **Reply #12 on:** March 20, 2015, 03:22:48 PM »

Sorry I don't follow .. can you elaborate? I mean the "by web site I mean ones that you control and update " part

essexboy · « **Reply #13 on:** March 20, 2015, 03:47:01 PM »

The public folders are where you put stuff that is shared between computers and websites. I you manage/own/ control a web site that is where you would put stuff

REDACTED · « **Reply #14 on:** March 20, 2015, 05:17:00 PM »

by sharing contents ... do you mean like cookies?

Author Topic: Possible rootkit infection? (Read 11884 times)

REDACTED

Possible rootkit infection?

Asyn

Re: Possible rootkit infection?

Pondus

Re: Possible rootkit infection?

REDACTED

Re: Possible rootkit infection?

Asyn

Re: Possible rootkit infection?

essexboy

Re: Possible rootkit infection?

REDACTED

Re: Possible rootkit infection?

essexboy

Re: Possible rootkit infection?

REDACTED

Re: Possible rootkit infection?

essexboy

Re: Possible rootkit infection?

REDACTED

Re: Possible rootkit infection?

essexboy

Re: Possible rootkit infection?

REDACTED

Re: Possible rootkit infection?

essexboy

Re: Possible rootkit infection?

REDACTED

Re: Possible rootkit infection?