Jump to content

Recommended Posts

Malwarebytes (2.2.1.1043) finds 7 rootkit drivers:

    C:\WINDOWS\SYSTEM32\drivers\afd.sys   

    C:\WINDOWS\SYSTEM32\drivers\appid.sys

    C:\WINDOWS\SYSTEM32\drivers\exfat.sys

    C:\WINDOWS\SYSTEM32\drivers\fastfat.sy

    C:\WINDOWS\SYSTEM32\drivers\srv.sys

    C:\WINDOWS\SYSTEM32\drivers\srv2.sys

    C:\WINDOWS\SYSTEM32\drivers\srvnet.sys

FIXing the problem deletes the rootkits UNTIL a reboot and then they return?

As per FAQs the A/V, Windows update and other programs are functioning normally. I have also run Malwarebytes Anti-Rootkit 1.09.3.1001 with the same result.

Thanks for the help.

Rick

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

Hello @Ricks_Radio and :welcome:

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

 

 

adwcleaner_new.png Fix with AdwCleaner

 

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

Thanks AdvancedSetup. Here's the info you requested:

1) JRT.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 7 Professional x64
Ran by Rick Williams (Administrator) on 01/06/2017 at 10:25:44.08
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 


File System: 34

Successfully deleted: C:\ProgramData\productdata (Folder)
Successfully deleted: C:\Users\Rick Williams\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpjamkmjmigaoobjbekmfgabipmfilij (Folder)
Successfully deleted: C:\Users\Rick Williams\AppData\Roaming\getrighttogo (Folder)
Successfully deleted: C:\Users\Rick Williams\AppData\Roaming\productdata (Folder)
Successfully deleted: C:\Windows\system32\Tasks\Uninstaller_SkipUac_Administrator (Task)
Successfully deleted: C:\Windows\system32\Tasks\Uninstaller_SkipUac_Rick_Williams (Task)
Successfully deleted: C:\Windows\wininit.ini (File)
Successfully deleted: C:\Program Files (x86)\myfree codec (Folder)
Successfully deleted: C:\Users\Rick Williams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Rick Williams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4TQFQEKY (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Rick Williams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Rick Williams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6V3EYKIO (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Rick Williams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9B4L1OEW (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Rick Williams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Rick Williams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Rick Williams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LWRRY7TY (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Rick Williams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1R7CC2S (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Rick Williams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NJNDIK3J (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Rick Williams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RE1GXF4V (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Rick Williams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TZF88P63 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Rick Williams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XGEJT8TH (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4TQFQEKY (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6V3EYKIO (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9B4L1OEW (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LWRRY7TY (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1R7CC2S (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NJNDIK3J (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RE1GXF4V (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TZF88P63 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XGEJT8TH (Temporary Internet Files Folder)

 

Registry: 0

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 01/06/2017 at 10:41:53.35
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2) AdwCleaner

# AdwCleaner v6.047 - Logfile created 01/06/2017 at 10:47:29
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-05-31.2 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X64)
# Username : Rick Williams - RICK
# Running from : C:\Users\Rick Williams\Desktop\Rootkit Tools\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

 

***** [ Services ] *****

 

***** [ Folders ] *****

[-] Folder deleted: C:\Users\Rick Williams\AppData\LocalLow\IObit\Advanced SystemCare
[-] Folder deleted: C:\Users\Rick Williams\AppData\Roaming\IObit\Advanced SystemCare
[-] Folder deleted: C:\ProgramData\IObit\ASCDownloader
[-] Folder deleted: C:\ProgramData\IObit\Advanced SystemCare
[-] Folder deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\myfree codec
[-] Folder deleted: C:\Program Files (x86)\GreenTree Applications
[-] Folder deleted: C:\Program Files (x86)\Common Files\IObit\Advanced SystemCare


***** [ Files ] *****

 

***** [ DLL ] *****

 

***** [ WMI ] *****

 

***** [ Shortcuts ] *****

 

***** [ Scheduled Tasks ] *****

 

***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{5C3B5DAA-0AFF-4808-90FB-0F2F2D760E36}
[-] Key deleted: HKU\.DEFAULT\Software\InstalledBrowserExtensions
[-] Key deleted: HKU\S-1-5-21-2730619955-3315783054-1672880111-1000\Software\Myfree Codec
[-] Key deleted: HKU\S-1-5-21-2730619955-3315783054-1672880111-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyFreeCodec
[#] Key deleted on reboot: HKU\S-1-5-18\Software\InstalledBrowserExtensions
[#] Key deleted on reboot: HKCU\Software\Myfree Codec
[-] Key deleted: HKLM\SOFTWARE\Myfree Codec
[-] Key deleted: HKLM\SOFTWARE\IOBIT\ASC
[#] Key deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyFreeCodec
[#] Key deleted on reboot: [x64] HKCU\Software\Myfree Codec
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyFreeCodec


***** [ Web browsers ] *****

 

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [2167 Bytes] - [01/06/2017 10:47:29]
C:\AdwCleaner\AdwCleaner[S1].txt - [2790 Bytes] - [22/05/2016 09:46:22]
C:\AdwCleaner\AdwCleaner[S2].txt - [2863 Bytes] - [22/05/2016 10:03:56]
C:\AdwCleaner\AdwCleaner[S3].txt - [2506 Bytes] - [01/06/2017 10:46:10]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2459 Bytes] ##########


3) Sophos Free Virus Removal Tool

Output of this software was -- "Your computer is clean"

4) Farbar Requested files attached.

 

Thanks again.

 

Rick

 

FRST.txt

Addition.txt

Link to post
Share on other sites

As requested.

Thanks for the help,

Rick

----------------------------------------------------------------------

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 01/06/2017
Scan Time: 16:26
Logfile: ThreatScan.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2017.06.01.06
Rootkit Database: v2017.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Rick Williams

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 391350
Time Elapsed: 38 min, 50 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)
Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\afd.sys, , [9a4a1eee802bf2f878ee8eab407b21b7],
Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\appid.sys, , [f165140efe85e7767a80baa234d05a4c],
Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\exfat.sys, , [a510c654ec00c1e9bdd91eeb3a59823b],
Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\fastfat.sys, , [0adc83218b66a6db380c330836f3e36d],
Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\srv.sys, , [eb15c46477eb84b6b520871ed5936ccf],
Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\srv2.sys, , [7f4fdc9528bce6fb919615b6a77d5724],
Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\srvnet.sys, , [3f20cd2a11872284bd667dad6d4801cc],

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

  • Root Admin

Thanks, let me have you run the following please.


Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

The replace on Reboot typically means they are locked and it will take a reboot to remove them.

Let's run a couple other scans and see what they find. Maybe we're just being blocked by something and it's creating a false positive.

 

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.

PC Winvids - How to run Kaspersky TDSSKiller

If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.

 

After that, then run this other Kaspersky tool. I'll check back on you again late tomorrow night if I get time.

 

 

Please download and run the following tool to remove any found threats

Kaspersky Virus Removal Tool

Link to post
Share on other sites

  • 2 months later...
  • Root Admin

We're sorry. It looks like your topic was somehow overlooked. Due to the length of time we'll go ahead and close this topic now but if you still actually need help please send a private message to one of the Moderators and we'll assist you.Thank you and sorry we missed your topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.