Jump to content

Booktkit/Rootkit. I can't get rid of it.


chooki

Recommended Posts

AdwCleaner:

 

# AdwCleaner v3.010 - Report created 29/10/2013 at 22:50:52
# Updated 20/10/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Z220 - HPX
# Running from : C:\Users\Z220\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16720

*************************

 

checkup.txt:

 

 Results of screen317's Security Check version 0.99.75 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled! 
Total Defense Anti-Virus  
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Total Defense Internet Security Suite Anti-Virus caamsvc.exe
 Total Defense Internet Security Suite Anti-Virus isafe.exe
 Malwarebytes' Anti-Malware mbamscheduler.exe  
 Malwarebytes Anti-Exploit mbae.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````

 

FSS.txt:

 

Farbar Service Scanner Version: 24-10-2013
Ran by Z220 (administrator) on 29-10-2013 at 22:57:54
Running from "C:\Users\Z220\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys
[2013-10-12 02:52] - [2013-09-14 12:10] - 0497152 ____A (Microsoft Corporation) 314C17917AC8523EC77A710215012A65

C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2013-10-12 02:52] - [2013-09-08 13:30] - 1903552 ____A (Microsoft Corporation) 40AF23633D197905F03AB5628C558C51

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

 

Hopefully, all I have to do now is to reinstall my antivirus program to get its toolbar website checker working.
 

Link to post
Share on other sites

Even though the problems I experienced ARE indeed fixed, :) ... problems remained after system reinstallation that caused the antivirus toolbar helper to still not check any web pages. It marked everything as 'unknown' instead of 'safe', 'medium risk' and 'high risk'.

 

Now, after simply installing over the top, it works; it was a big concern for me that it didn't.

 

I didn't try Combofix because I didn't know how to use it.

 

I'm going to buy the Malwarebytes Pro. I like it's realtime functionality. I had the trial and it's blocked a few pages already.

 

Thanks for everything Marius, have a look in your Paypal in a few minutes. Let me know when you receive it

 

chooki

Link to post
Share on other sites

Got your donation - thank you very much! :)

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  1. In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  2. In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  3. In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process

[*] If there is still something left please delete it manualy.

 

 

 

How to protect yourself

  • System Updates
    Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
    Windows XP | Windows Vista |
    Windows 7 | windows 8
  • Protection
    What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
    Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
  • Up to date Software
    Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:

    [*] Backups
    There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice. [*] Brains
    It's no joke! You really need one of those things. :) It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.

Link to post
Share on other sites

Delfix cleaned up the desktop and a few other areas. I had to go into program files and delete one or two antimalware folders via the uninstall.exe files in them. Also deleted some other left over files and folders that remained after uninstalling via add/remove.

 

The MBR still has traces of the malware, I think...one program already mentioned in this thread, boot cleaner or similar still notifies of rootkit modifications in the MBR. The antivirus email protection component broke again but I have reinstalled afresh and it works properly now, as does the antivirus BHO.

 

Apart from the traces, everything is good, webpages load like lightning once again, no more crashing of I.E. 10. Windows Defender was able to run for the first time since system reinstall and WD update signatures which were about 3 years old.

 

Provided everything remains as it is now, I am happy enough however if things start acting strangely again maybe I can fully wipe the SSD so that it needs to be reinitialized. THAT should, hopefully, wipe EVERYTHING, including the MBR, but.... there are 3 other partitions on Drive0 without letters assigned and in these partitions are system and recovery items. The workstation didn't come with a Windows 7 installation disc, only the HP discs... I suppose I could find the drivers on the HP website.... I don't know what I may do, I will think it over.

 

I bought Malwarebytes Antimalware Pro yesterday. I think it's good to run it alongside Total Defense even though Total Defense don't like that being done. ... I like the realtime functionality in MAW Pro.

 

Before I read one of your posts yesterday Marius, I split the file using WinRAR and uploaded it to bleepingcomputer. The more A-V and A-W companies that wipe it out the better.

 

Kind regards

Link to post
Share on other sites

An MBR has no "hidden areas" - what there is can be seen. We´ve checked this several times and the code written into your MBR is the one belonging to your operating system.

Note: Tools may provide false positives. Even if an MBR code is unknown (for example, if your Computer vendor established a recovery partition) bootkit remover tells "hooked by bootkit" - what is complete nonsens.

 

We may do a special checkup of your MBR data, if you want.

Link to post
Share on other sites

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

 
 
Then do a scan of the file MBR.dat (located on your desktop) via Virustotal:
 
 
Scan file(s) via VirusTotal

Please check the file in the code box via Virustotal
  • Click browse
  • navigate to the MBR.dat on your desktop, highlight it
  • and click open.
  • click Send File.

please be patinet until the file is uploade completely. If you get the message

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
click on Reanalyse. Wait until Current status: Finished appears. Now, copy the link from within your browser´s adress bar and poste it here.
Link to post
Share on other sites

aswMBR result:

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-10-30 21:17:25
-----------------------------
21:17:25.475    OS Version: Windows x64 6.1.7601 Service Pack 1
21:17:25.475    Number of processors: 8 586 0x3A09
21:17:25.475    ComputerName: HPX  UserName:
21:17:25.855    Initialize success
21:19:38.048    AVAST engine defs: 13102901
21:19:52.408    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
21:19:52.408    Disk 0 Vendor: INTEL_SS 335t Size: 228936MB BusType: 8
21:19:52.408    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-3
21:19:52.408    Disk 1 Vendor: WDC_WD20 05.0 Size: 1907729MB BusType: 8
21:19:52.418    Disk 2  \Device\Harddisk2\DR2 -> \Device\Ide\IAAStorageDevice-4
21:19:52.418    Disk 2 Vendor: WDC_WD20 05.0 Size: 1907729MB BusType: 8
21:19:52.428    Disk 0 MBR read successfully
21:19:52.428    Disk 0 MBR scan
21:19:52.438    Disk 0 Windows 7 default MBR code
21:19:52.438    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          800 MB offset 2048
21:19:52.438    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       221789 MB offset 1640448
21:19:52.448    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS         6245 MB offset 455864320
21:19:52.458    Disk 0 Partition 4 00     27 Hidden NTFS WinRE MSDOS5.0      100 MB offset 468654080
21:19:52.478    Disk 0 scanning C:\Windows\system32\drivers
21:19:57.498    Service scanning
21:20:05.023    Modules scanning
21:20:05.023    Disk 0 trace - called modules:
21:20:05.033    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
21:20:05.033    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80170cd790]
21:20:05.033    3 CLASSPNP.SYS[fffff88001cf343f] -> nt!IofCallDriver -> [0xfffffa800d5c4430]
21:20:05.043    5 ACPI.sys[fffff88000efa7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0xfffffa800d5c7050]
21:20:05.393    AVAST engine scan C:\Windows
21:20:06.033    AVAST engine scan C:\Windows\system32
21:21:19.898    AVAST engine scan C:\Windows\system32\drivers
21:21:24.928    AVAST engine scan C:\Users\Z220
21:21:37.261    AVAST engine scan C:\ProgramData
21:21:43.536    Scan finished successfully
21:22:26.196    Disk 0 MBR has been saved successfully to "C:\Users\Z220\Desktop\MBR.dat"
21:22:26.196    The log file has been saved successfully to "C:\Users\Z220\Desktop\aswMBR.txt"

 

Link to post
Share on other sites

As you can see (when you visit the virustotal link) 47 different vendors of antivirus solutions checked your MBR data and all of them say: It is clean! :)

We use VT as a reference for any files we do not know as 100% clean so feel safe with your MBR (and delete the tools delivering false positives).

Link to post
Share on other sites

       Ok I am totally satisfied, thankyou.

 

 

       =========================================================================

 

 

  • Brains
    It's no joke! You really need one of those things.
    :)

 

 

        Yes very true lol, and to keep it turned on at all times! 15 years or so of using computers and I (should) know well enough the risk of running executables. I downloaded a film and it offered the video.codec.exe so I didn't tick to download it but the film wouldn't play without it so I went back and got the video.codec.exe and ran it with elevated UAC !! I didn't listen to the little man on my shoulder and paid the price for being greedy.

 

 

thanks again

 

chooki

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.