Author Topic: Avast! doesnt remove a rootkit file  (Read 14403 times)

0 Members and 1 Guest are viewing this topic.

Offline CUPIC

  • Newbie
  • *
  • Posts: 15
Re: Avast! doesnt remove a rootkit file
« Reply #15 on: January 31, 2011, 11:42:50 PM »
Thank you very much!

I will install that MBAM, whatever it is!

THANKS!


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: Avast! doesnt remove a rootkit file
« Reply #16 on: January 31, 2011, 11:47:23 PM »
Here you go do this run and attach the log to see if I missed any waifs and strays

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Offline CUPIC

  • Newbie
  • *
  • Posts: 15
Re: Avast! doesnt remove a rootkit file
« Reply #17 on: February 01, 2011, 12:08:04 AM »
OK. I'll do it right now, it is already downloading the program.

But I still have one process or service in MSCONFIG's startup tab, called FUTUR. It has an "unknown" manufacturer and exe file of that service is at:


C:\Users\User\AppData\Roaming\Microsoft\zihooqu.exe

And it looks very malignant for me.

This service did not exist before few days.

I will post the report of The Malwarebytes when it finishs.


Thanks
« Last Edit: February 01, 2011, 03:19:19 AM by CUPIC »

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 10980
  • No support PM's thanks
Re: Avast! doesnt remove a rootkit file
« Reply #18 on: February 01, 2011, 06:11:01 AM »
CUPIC i noticed in one of your logs that you still have MSE on your system, even though it is disabled it is not recommended to have two or more av's on a system at one time.
Actually you also have some symantic/norton stuff still on there to, you can find removal tools here
http://uninstallers.blogspot.com/ scroll down the list to 23b and 26a,remember to delet the program's though add remove program's first then run the tool for each with reboot's inbetween,If you have deleted norton previously then just run the tool anyway to get rid of leftovers, when done finally clean your system with ccleaner.
And dont forget to follow the rest of essexboy's advice  :)
« Last Edit: February 01, 2011, 06:18:58 AM by craigb »

Offline SafeSurf

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5203
Re: Avast! doesnt remove a rootkit file
« Reply #19 on: February 01, 2011, 08:44:27 AM »
@ craigb,
CUPIC i noticed in one of your logs that you still have MSE on your system, even though it is disabled it is not recommended to have two or more av's on a system at one time.
I believe this is an empty entry in the last ComboFix, but it would be best for Essexboy to take a look at this.
Mac 10.9.4 /Safari and Firefox (NoScript/AdBlockPlus/BetterPrivacy/Ghostey)/
Vista Home Prem (same add-on's)/Avast Free/Online Armor Premium Firewall/MBAM Premium)/ Mobile MBAM.

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 10980
  • No support PM's thanks
Re: Avast! doesnt remove a rootkit file
« Reply #20 on: February 01, 2011, 08:55:51 AM »
@ craigb,
CUPIC i noticed in one of your logs that you still have MSE on your system, even though it is disabled it is not recommended to have two or more av's on a system at one time.
I believe this is an empty entry in the last ComboFix, but it would be best for Essexboy to take a look at this.
I agree

Offline CUPIC

  • Newbie
  • *
  • Posts: 15
Re: Avast! doesnt remove a rootkit file
« Reply #21 on: February 01, 2011, 10:18:22 AM »
CUPIC i noticed in one of your logs that you still have MSE on your system, even though it is disabled it is not recommended to have two or more av's on a system at one time.


I don't have two (or more) AV programs, the MSE is on my comuter for a logn time, I download it once when I updated Windows. When I was running Combofix and OTL i was disable MSE and Spybot.

Symantic Norton? I have never installed that AV on my machine.

I have one undefined process on a computer that can not be excluded.


I believe this is an empty entry in the last ComboFix, but it would be best for Essexboy to take a look at this.

I agree too.
« Last Edit: February 01, 2011, 10:27:53 AM by CUPIC »

Offline Swarnava/Heaven GOD

  • Sr. Member
  • ****
  • Posts: 242
  • Give me the place 2 stand & I shall move the earth
Re: Avast! doesnt remove a rootkit file
« Reply #22 on: February 01, 2011, 10:30:42 AM »
Please tell that currently how much antivirus you have installed without avast?
If java had true garbage collection, most program would delete themselves upon execution

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 10980
  • No support PM's thanks
Re: Avast! doesnt remove a rootkit file
« Reply #23 on: February 01, 2011, 10:47:51 AM »
Doesn't matter if MSE is disabled, there will still be low level driver's that are running so it should be uninstalled if you haven't already.

Offline CUPIC

  • Newbie
  • *
  • Posts: 15
Re: Avast! doesnt remove a rootkit file
« Reply #24 on: February 01, 2011, 10:57:31 AM »
Here you go do this run and attach the log to see if I missed any waifs and strays

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.




I did it!


The LOG file is attached.

Thank you!


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: Avast! doesnt remove a rootkit file
« Reply #25 on: February 01, 2011, 08:32:57 PM »
OK we will look in that area with a slightly different tool as it is more versatile - what problems do you have at the moment

Download OTS to your Desktop and double-click on it to run it
  • Make sure you close all other programs and don't use the PC while the scan runs.
  • Select All Users
  • Under additional scans select the following
Reg - NetSvcs
Reg - Disabled MS Config Items
Reg - Shell Spawning
File - Lop Check
File - Purity Scan


  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Please attach the log in your next post.

Offline CUPIC

  • Newbie
  • *
  • Posts: 15
Re: Avast! doesnt remove a rootkit file
« Reply #26 on: February 01, 2011, 09:21:35 PM »
I scaned the computer, as you said.

There is OTS.txt

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: Avast! doesnt remove a rootkit file
« Reply #27 on: February 01, 2011, 10:51:35 PM »
Well looky what I found - I like this programme for its flexibility.  One of your users would have had problems logging in 

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000\] > -> HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{472734EA-242A-422B-ADF8-83D1E48CC825}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000\] > -> HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "futur" -> [C:\Users\User\AppData\Roaming\Microsoft\zihooqu.exe]
< Winlogon settings [HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000] > -> HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*Shell* -> HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
YN -> C:\Users\User\AppData\Roaming\juzjf.exe ->
< Winlogon settings [HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000] > -> HKEY_USERS\S-1-5-21-4190731207-121853071-4191398483-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
[Registry - Additional Scans - Safe List]
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> futur hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
[Files/Folders - Unicode - All]
NY -> C:\Windows\System32\????? -> C:\Windows\System32\獷楬汢捯污
NY -> C:\Windows\System32\????? -> C:\Windows\System32\獷楬汢捯污
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Offline CUPIC

  • Newbie
  • *
  • Posts: 15
Re: Avast! doesnt remove a rootkit file
« Reply #28 on: February 02, 2011, 02:58:46 AM »
I did everything as you said.

First, I turn off all runing programs. And I paste the fixes into "Paste fix here".

During the first scan, the program has stopped working. Windows has terminate the OSL.exe.

After that, I run OSL.exe again and it required computer to reboot.

BUT the OSL doesn't made any LOG file!

After that, Spybot S&D asks me to allow something and I allowed.

Well looky what I found - I like this programme for its flexibility.  One of your users would have had problems logging in


One of my useres?

My brother used the computer a few months ago, but now he has his own leptop and I'm the only one user of this computer.

Thank you very much!

And, sorry, my english is disaster, I'm a beginner.
« Last Edit: February 02, 2011, 03:20:22 AM by CUPIC »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83011
  • No support PMs thanks
Re: Avast! doesnt remove a rootkit file
« Reply #29 on: February 02, 2011, 03:15:24 AM »
Well it is 2:05am in the UK so essexboy will be in bed and not back on the forums until after he finishes work tomorrow.

Do you mean run OTS again as there is no mention of running OSL. So the last thing he asked for was to run OTS again and copy and paste the contents of the code box into the Paste fix here and click the Run Fix button.

So I would suggest you try that again, and ensure that you follow this first instruction:
Make sure you close all other programs and don't use the PC while the scan runs. This includes avast for the duration of the scan.

I don't know if the run fix produces a log, if not then run OTS again so that it produces a log after the fix to see if anything else needs to be done.
« Last Edit: February 02, 2011, 03:17:27 AM by DavidR »
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.570) UI-1.0.505/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro