Rootkit.ADS issue

[GPlews]

Hi 

 

I have been regularly scanning my PC with the Malwarebytes anti Malware Programme for years.  

However recently I appear to always find the same issue each time I do.  I's a Rootkit.ADS in the c:\WINDOWS\system32:Win32App_1 file.  Doesn't seem to matter how many time I remove it, it's there each time I scan.  Should I be worried?  Can you help?

Files attached per instructions on the Forum.  

Thanks 

Addition.txt

FRST.txt

[Android8888]

Hello GPlews and  Forums.

 

My screen name is Android8888 but if you wish you can call me Rui which is my real name. I will be helping you with your malware issues. Please ask questions if anything is unclear.

I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier.

Read all of my instructions very carefully and bear in mind that any mistakes during the cleaning process may have serious consequences such as leaving the computer unbootable.

Please DO NOT run any tools on your own or make any other changes to your computer and follow the directions in the order listed during the malware removal process, otherwise you can worsen the situation rather than solve it.

Make sure to run all tools from the computer's Desktop and with Administrator privileges (i.e. right-click the tool icon and select Run as administrator).

Please run one scan at a time.

Once started the malware removal process has to be completed. Even if your computer appears to be running better, it may still be infected as some infections are difficult to remove and can leave remnants on the System.

That being said let's start.

 

I noticed that you have dubious and malicious programs installed on your system. I'll ask you to uninstall them since uninstalling such programs before running malware removal tools will ensure a better clean-up.
If you have an issue when uninstalling a program, please let me know.

Driver Booster 4.3
Freemake Video Converter
SpecialSavings
The Desktop Weather 2.0.1.11332

Next,

Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file!
• Right-click on the FRST executable and select Run as Administrator;
• Click on the Fix button;
  
  Credits: Aura
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Please attach the fixlog.txt in your next reply;
  

 

Next,

Please read the instructions below and make a clean install of Malwarebytes from version 2 to version 3.

Download MBAM-clean and save it to your computer Desktop.
 
Right-click on mbam-clean.exe icon and select Run as administrator to start the tool.
It will ask you to reboot the machine - please do so.
Run the MBAM-clean tool again and reboot when complete. NOTE: DO NOT miss this step.

If you have lost the activation licence key information it can be located here

Download Malwarebytes version 3 from here and save it to your Desktop or anywhere else on your system since you know where is located.

Double click on the installer and follow the prompts to install the program. If necessary select the blue Help tab for video instructions.

When the install completes and is updated do the following:

• Open Malwarebytes;
• On the left pane select Settings;
• Then select the Protection tab;
• Scroll down to Scan Options and ensure Scan for Rootkits and Scan within Archives are both on.
• Go back to DashBoard and select the blue Scan Now tab.
• When the scan completes deal with any found entries.
• Select Export Summary and then Text File (*.txt). Give a name to the log and save it;
• Please attach that log to your next reply.

 

Next,

• Download Junkware Removal Tool (JRT) and move it to your Desktop;
• Right-click on JRT.exe and select Run as Administrator;
• Press on any key to launch the scan and let it complete;
  
  Credits: Bleeping Computer and Aura
• Once the scan is complete, a log will open. Please attach that log in your next reply;
  

Next,

• Download AdwCleaner and move it to your Desktop;
• Right-click on AdwCleaner.exe and select Run as Administrator;
• Accept the EULA (I accept), let the database update, then click on Scan;
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
  
  Credits: Aura
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
• After the restart, a log will open when logging in. Please attach that log in your next reply;
  

 

In your next reply please attach:
The fixlog.txt;
The Malwarebytes log;
The JRT.txt log;
The AdwCleaner clean log.

Let me know how is the computer running at this point.

Thank you.

[GPlews]

Hi Rui 

 

Thanks for this, seems straight forward.  Just a minor problem.

 

"Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file!"

 

Doesn't appear to have a file to download - have I misunderstood?  Where to I find the File.

[Android8888]

Hello GPlews.

I apologize for that. I forgot to attach the fixlist.txt file. It is attached now.

NOTE: In addition to the list of malicious programs to remove that I provided in my first post, please uninstall also the following:

Bundled software uninstaller

Don't forget to perform the scans that I asked you in my first post and attach the logs.

Thank you.

Rui

fixlist.txt

[GPlews]

Hi again.

thanks again for the response.  

I have now completed the first 2 scans and the logs are attached. 

However each time I run the JRT Tool I get a Stop Error.  Which I have attached a Photo of.  

Any Idea what to do about this?

It occurs after I run JRT as Administrator and click any key.  It creates the restor point succesfully but then throws the error whilst it is validating the restore point.  

 

Thanks in advance.

Fixlog.txt

Malwarebytes Summary Results.txt

[Android8888]

Hello GPlews.

3 hours ago, GPlews said:

However each time I run the JRT Tool I get a Stop Error.  Which I have attached a Photo of.  

Any Idea what to do about this?

I'm not sure yet but it could be a corrupted file(s) caused by the infection and may be interfering with the tools. We will try to investigate further.

 

Okay, please DO NOT run JRT and AdwCleaner yet.

 

Please download Malwarebytes Anti-Rootkit BETA and save it to your Desktop.

• Right-click on the icon and select Run as administrator to start the extraction of the program;
• Click Yes to accept the security warning that may appear;
• Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
• Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
• Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
• Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
• After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
• Please attach that log in your next reply;
  

 

Please download RogueKiller 32/64 Bits Installer (setup.exe) by Tigzy and save it to your Desktop.

• Right click on the file setup.exe and select Run as administrator to install the tool.
• Click Yes to accept any security warnings that may appear.
• Choose the installation language and click OK.
• Checkmark "Install 32 and 64 bits versions" and click Next. Follow the steps to install the tool.
• Now close all programs and browsers.
• Please disconnect any USB or external drives from the computer before you run this scan!
• Right-click on the RogueKiller icon and select Run as administrator.
• Click Yes to accept any security warnings that may appear.
• Click the Scan tab and then click the Start Scan button.
• Wait until the scan has finished. This may take some time consuming.
• Once finished click on Open Report. It will open a new window.
• Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your Desktop.
• Close RogueKiller.
  

Please attach the RKlog.txt to your next reply.

 

Thank you.

[GPlews]

Hi Again

 

Thanks for the continued Support.  I have run both the Anti Root-Kit Beta tool and the Rogue killer Tool.

 

Anti Root kit didn't find anything the log it exported wasn't call what you said but I assume it's the system-log.txt file I have attached which I found in the same folder as instructed. 

 

The Rogue Killer found 30 Issues which I removed and I have attached the RKlog.txt also.  

 

Please let me know what's next and if I should go and try the JRT and ADW Scans again.  

 

Regards.

RKLog.txt

system-log.txt

[Android8888]

Hello GPlews.

The main log from Malwarebytes Anti-Rootkit is called mbar-log-TODAY'S-DATE.txt, where TODAY'S-DATE is the date when the scan ran. For instance, if you ran the scan on May, 2nd then the log name is mbar-log-2017-05-02 (Run Time).txt. It is located in the mbar folder.
Please attach that log in your next reply.

 

Please let me know what's next and if I should go and try the JRT and ADW Scans again.

You are okay now to perform those scans (JRT and AdwCleaner). If Junkware Removal Tool won't run go forward and run AdwCleaner.

Next,
Please download Sophos Virus Removal Tool and save it to your computer's Desktop.

• Right-click the icon and select Run as administrator.
• Click Yes to accept any security warnings that may appear.
• Click the Next button.
• Select 'I accept the terms in the license agreement', then click Next twice.
• Click the Install button and wait until the installation is complete.
• Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
• Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
• Click Yes to accept any security warnings that may appear.
• After it updates and a "Start Scanning" button appears in the lower right:
  
  • Disconnect from the Internet or physically unplug your Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.

• Click the "Start Scanning" button in the lower right to start the scan.
• After starting the scan, do not use the computer until the scan has completed.
• When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
• If any threats are found click Details, then View Log file (bottom left-hand corner).
• Copy and paste its contents in your next reply and note any errors encountered.
• Close the Notepad document, close the Threat Details screen, then click Start cleanup.
• Click Exit to close the program.
• If no threats were found, please confirm that result.
  

Note: Whenever necessary, the log will be in the following location:

C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of that log in your next reply and note any errors encountered.

To summarize:
Attach the mbar-log-2017-xx-xx (Run Time).txt file;
Attach the JRT.txt file;
Attach the AdwCleaner clean log;
Copy and paste the content of SVRT log.

 

How is the computer running?

Thank you.

[GPlews]

Hi Rui

Definitely no file called mbar-log-2017-xx-xx (Run Time).txt in the Mbar folder - just to be sure I ran it again and still file - this might be because both times i ran it I found no threats? I've attached a Picture of the file also as proof!

JRT - ran fine this time I'm please to say and Log attached.

ADW Ran fine and log attached

SVRT Ran fine and NO Threats found - so no log for that either.  

 

Thanks.

 

 

 

AdwCleaner[C0].txt

JRT.txt

[Android8888]

Hello GPlews.

Quote

Definitely no file called mbar-log-2017-xx-xx (Run Time).txt in the Mbar folder - just to be sure I ran it again and still file - this might be because both times i ran it I found no threats? I've attached a Picture of the file also as proof!

No. Even if no threats were found should have produced a log. But that's okay, no problem with that. Let's continue.

 

So far good news. Sophos Virus Removal Tool did not found any threats.

Now let's re-check for leftovers that could have been left behind.

Please scan your computer with ESET Online Scanner.

• Click on this link to open ESET Online Scanner in a new window.
  1. Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
  2. Close all your programs and browsers.
  3. Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
  4. Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.

• Check mark Download latest version of ESET Online Scanner and click the Accept button.
• Click Yes to accept any security warnings that may appear.
• Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
• Then click Advanced settings and check mark the following options:
  • Enable detection of potentially unsafe applications
  • Clean threats automatically
• Click the Scan button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click List Threats.
• Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Click the Back button.
• Click the Finish button.

Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.

Please post the contents of ESET log (if it produced one) and let me know how is the system running now.

Thank you.

Rui

Edited May 4, 2017 by Android8888

[GPlews]

Hi again.  

 

Looks like the latest Scan found a few things.  Log attached.  

 

The computer seems to be operating much better.  The High Disk usage I was experiencing is much improved.  

To look at the point of concern of the original post I ran Malwarebytes again and whilst it found quite a few PUP's there were no Rootkits found so I'm hoping that's proving that the original issue is resolved.  

 

Thanks a Million for all you help.  If there's anything else I should do please let me know.  

 

 

 

ESETScan.txt

[Android8888]

Hello GPlews.

 

Quote

The computer seems to be operating much better.  The High Disk usage I was experiencing is much improved.

I'm glad to hear that!

 

Thank you for the ESET log. ESET found 3 infections and deleted them all.

 

Okay, please re-run Malwarebytes and perform a new threat scan.

If it finds something, make sure to check-mark all the items it found and quarantine them all.

Please attach the Malwarebytes log in your next reply.

 

Now, let's perform a scan with another tool to see if there is still some remnants left.

Please download Zemana AntiMalware and save it to your Desktop.

• Right-click on the icon and select Run as administrator to install the program.
• Click Yes to accept the security warning.
• Once the installation is complete it will start automatically.
• Without changing any options, press Scan to begin.
• After the short scan is finished, if threats are detected press Next to remove them.
  Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
• Click on the Back button.
• On the top right corner click on Reports icon (the one with three bars) and double click on the latest report.
• Now click File > Save As, then choose your Desktop and click the Save button.
• Please attach the saved report in your next reply.

 

Next, let's check for outdated applications and security programs.

Please download Security Analysis by Rocket Grannie from here

• Save it to your Desktop.
• Close your security software to avoid potential conflicts.
• Double click RGSA.exe
• Click OK on the copyright-disclaimer
• When finished, a Notepad window will open with the results of the scan.
• The log named SALog.txt can also be found on the Desktop or in the same folder from where the tool is run if installed elsewhere.
• Please attach that log in your next reply.

Note: If you get a Warning from Windows about running the program, click on More info and then click Run Anyway to run it even though Windows says it might put your PC at risk.

 

Please attach the following logs in your next reply:

The Malwarebytes log;

The Zemana log;

The SALog.txt log file.

 

Thank you.

Rui

Edited May 8, 2017 by Android8888

[GPlews]

Hi Once again.

 

Here's the Latest Logs.  Good News Malwarebytes didn't find anything at all.  

 

 

Zemana 2017.05.14-13.54.04-i0-t92-d2.txt

Malwarebytes Summary Results 14.05.17.txt

SALog.txt

[Android8888]

Hello GPlews.

Yes these are good news. Your computer appears to be clean and free of malware.

Outdated programs contains security vulnerabilities that are exploited by malware in order to infect the computer without the user's knowledge. Usually this is one of the ways that more contributes to the infection of your computer.

Run a program like Personal Software Inspector (PSI) or FileHippo Update Checker to see what programs need to be updated.

Now you can delete the tools we used in the malware removal process.

Follow the instructions below to download and execute DelFix.

• Download DelFix and move the executable to your Desktop;
• Right-click on DelFix.exe and select Run as Administrator;
• Check the following options:
  
  • Activate UAC (This option will activate the User Account Control feature).
  • Remove disinfection tools (this option will remove the tools used in the cleaning process).
  • Create registry backup (this option will create a backup from the Windows Registry).
  • Purge system restore (this option will remove all previous and possibly infected restore points, and will create a new and clean restore point of your system).
  • Reset system settings (this option will reset any system settings back to default that were changed either by us during cleansing or by malware infection).
    
• Once the options mentioned above are checked, click on Run;
• After DelFix is done running, a log will open. Please copy and paste the entire content of the output log in your next reply;
  

Are there any issues or concerns with your computer?

[exile360]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.