Rootkit: hidden file not deleting

[phesketh]

Ok, newbie with migraine so please forgive any stupid questions.

Installed AVAST! yesterday after norton didnt find the problem.   AVAST pass 1 found (among other things) 
C:\WINDOWS\system32\...\svchost.exe  as a Rootkit system modification
and
C:\WINDOWS\assembly\..\RegCode.dll  ans  Rootkit: hidden file

I marked them for delete applied the request and then rebooted and did a bootscan.
then I reran full scan and svchost.exe was gone but RegCode.dll is still coming up as a Rootkit: hidden file.

How do I rid myself of this problem ?

Paula

[Pondus]

Follow this guide here and attach the logs


http://forum.avast.com/index.php?topic=53253.0

Lower left corner > additional options > attach
If the logs are to big, then upload to http://www.mediafire.com/ and post the download link here

Installed AVAST! yesterday after norton didnt find the problem.

do you have avast and Norton installed ?

[phesketh]

Norton came installed
Ran norton didnt find problem
installed avast
ran avast fixed first problems
noted remaining rootkit hidden file
uninstalled norton (got message about unable to unregister file types)
reran avast scan.

Malware trace follows
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7680

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

08/09/2011 6:26:49 PM
mbam-log-2011-09-08 (18-26-49).txt

Scan type: Quick scan
Objects scanned: 170877
Time elapsed: 9 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



OTR to follow later this evening

[Pondus]

Norton came installed
Ran norton didnt find problem
installed avast
ran avast fixed first problems
noted remaining rootkit hidden file
uninstalled norton (got message about unable to unregister file types)
reran avast scan.

Never install two antivirus (see reply from quietman7)
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260844&view=findpost&p=1441638

[phesketh]

Reran scan after norton uninstalled same problem ... yes I know it was a stupid thing to do.
Prior to OTL run still had the full avast scan return that the C:\WINDOWS\assembly\..\RegCode.dll was a Rootkit: hidden file.

Attaching the OTL files

[essexboy]

I am wondering whether they are false positives.  Let me know of any problems after this run 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  SRV - [2005/01/21 22:32:12 | 000,206,552 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
  DRV - [2003/08/15 23:22:12 | 000,082,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
  O3 - HKU\S-1-5-21-4086094332-3286426674-3171654885-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O4 - HKLM..\Run: [lphcc71j0e5an] File not found
  O4 - HKLM..\Run: [Sony Ericsson PC Suite] File not found
  O4 - HKLM..\Run: [SunJavaUpdateSched] File not found
  O4 - HKLM..\Run: [Symantec NetDriver Monitor] File not found
  [2011/09/07 22:36:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
  
  :Files
  ipconfig /flushdns /c
  C:\WINDOWS\system32\drivers\svchost.exe
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[phesketh]

Ok,  following instructions.   Unless I hear differently will be doing the quick scan with nothing in the custome scans/fixes box and scan all users not set.

Paula

[phesketh]

LOG from OTL run attached

[essexboy]

Are the alerts still occuring ?

Download the GMER Rootkit Scanner. Unzip it to your Desktop.
 
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
 
Double-click gmer.exe. The program will begin to run.
 
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
 
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt" 
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[phesketh]

Yes avast is still telling me about the rootkit hidden file.

Here is the GMER file.  It didnt mention any rootkits.

THanks again
Paula

[essexboy]

GMER shows clear - I wonder if this is a false positive, but lets  do a driver check

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

 IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[phesketh]

OK, was running scan,   it gave me the 10 minute estimate ... then about 15 minutes later my laptop drops into suspend (30 min or more of non use should do that).   opening and closing the lid is not recovering it from suspend so I will have to use the power switch.  what should I do now about the scan ?

Paula

[phesketh]

FYI when the machine came back combofix was gone from the desktop.

updating and rerunning avast right now.

Paula

[essexboy]

Let me know if the rootkit alerts returns please

[phesketh]

c:\WINDOWS\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a\RegCode.dll is still marked as high severity and status Threat: Rootkit: hidden file

Running boot scan for the next hour.

Paula