Rootkit found

[tsubasa.suzuki22]

Avast found a rootkit in my system and I am in need of help to remove it.


Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/8/2016
Scan Time: 7:26 PM
Logfile: Malware.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.04.08.06
Rootkit Database: v2016.04.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Tsubasa

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 403346
Time Elapsed: 23 min, 33 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
PUP.Optional.InstallCore, C:\Users\Tsubasa\AppData\Local\Temp\ICReinstall_YoutubeDownloader_Setup.exe, Quarantined, [d1955557861356e07fc7acbd2bd6d828],
PUP.Optional.InstallCore, C:\Users\Tsubasa\Downloads\YoutubeDownloader_Setup.exe, Quarantined, [79ed8d1ff1a8290d2d19d09937caf10f],

Physical Sectors: 0
(No malicious items detected)


(end)

[dbrisendine]

Did you try the "Fix MBR" after the aswMBR scan?



FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

Coupon Printer for Windows

Open Broadcaster Software

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window. 

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.


SECOND >>>>

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

[tsubasa.suzuki22]

Thank you for the reply.

[dbrisendine]

If you want a good second opinion / scanner for rootkit, please do the following:


Download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  
  
  
• Click the Start Scan button.
  
  
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
  
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  
  
  A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

[tsubasa.suzuki22]

02:56:00.0669 0x0fb0  TDSS rootkit removing tool 3.1.0.9 Dec 11 2015 22:49:12
02:56:02.0669 0x0fb0  ============================================================
02:56:02.0669 0x0fb0  Current date / time: 2016/04/09 02:56:02.0669
02:56:02.0669 0x0fb0  SystemInfo:
02:56:02.0669 0x0fb0 
02:56:02.0778 0x0fb0  OS Version: 10.0.10586 ServicePack: 0.0
02:56:02.0778 0x0fb0  Product type: Workstation
02:56:02.0778 0x0fb0  ComputerName: TSUBASA-PC
02:56:02.0778 0x0fb0  UserName: Tsubasa
02:56:02.0778 0x0fb0  Windows directory: C:\WINDOWS
02:56:02.0778 0x0fb0  System windows directory: C:\WINDOWS
02:56:02.0778 0x0fb0  Running under WOW64
02:56:02.0778 0x0fb0  Processor architecture: Intel x64
02:56:02.0778 0x0fb0  Number of processors: 8
02:56:02.0778 0x0fb0  Page size: 0x1000
02:56:02.0778 0x0fb0  Boot type: Normal boot
02:56:02.0778 0x0fb0  ============================================================
02:56:02.0778 0x0fb0  BG loaded
02:56:06.0778 0x0fb0  System UUID: {494131B6-222D-832A-722D-B493D2A4D986}
02:56:11.0247 0x0fb0  Drive \Device\Harddisk0\DR0 - Size: 0xE8E1300000 ( 931.52 Gb ), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
02:56:11.0300 0x0fb0  ============================================================
02:56:11.0300 0x0fb0  \Device\Harddisk0\DR0:
02:56:11.0347 0x0fb0  MBR partitions:
02:56:11.0347 0x0fb0  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x10D5000
02:56:11.0347 0x0fb0  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x10E9000, BlocksNum 0x73620000
02:56:11.0347 0x0fb0  ============================================================
02:56:11.0972 0x0fb0  C: <-> \Device\Harddisk0\DR0\Partition2
02:56:11.0972 0x0fb0  ============================================================
02:56:11.0972 0x0fb0  Initialize success
02:56:11.0972 0x0fb0  ============================================================

[tsubasa.suzuki22]

I'm guessing that did the trick. Ran a scan and no detection of the rootkit. Thank you.

[dbrisendine]

Glad to hear that!


Clean up of Malware Removal Tools
Now that we are through using these tools, let's clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.

• Download Delfix from here to your desktop and double click it to start the program
• Ensure Remove disinfection tools is ticked
  Also tick:
• Activate UAC
• Create registry backup
• Purge system restore
• Reset system settings

• Click Run
• The program will run for a few moments and then notepad will open with a log. Note: Please save this log first before rebooting your system (if asked to); DelFix does not save the log as it is trying to remove all traces of our work on your system.  Please attach the log in your next reply.

You can delete any log files left on your desktop as these are no longer needed.