Nasty Malware, MBAR won't work

[kevinf80]

Can you post the url for the result table

[Stanczyk]

https://www.virustotal.com/#/file/cd41acbc70412b61c844adc26413728a09d60983a464327a285c80e08d37f8b6/detection

[kevinf80]

I see that there seems to have been a few system crashes, can you zip up and attach the following folder:

C:\WINDOWS\Minidump

I do not see any other possible malicious driver than the one you pointed out yourself. You have used a boot cd to remove two problem folders that were not giving up. Can you use that CD again and navigate to and remove the following:

C:\Windows\System32\drivers\terruxbe.sys

If you do manage to kill of that rootkit boot back to normal windows and run Malwarebytes, see what happens.....

Thank you,

Kevin....

[Stanczyk]

minidump.zip

That first .dmp was created on Sept. 5th, which was the day I was infected. I noticed it because a number of the installation dates in my 'Installed Programs' list was changed to the 5th.

This file just disappeared:

C:\Windows\System32\drivers\terruxbe.sys

A different file named terknrux.sys was created. I can't copy it out of the folder or access it, so I'm assuming it's a rootkit driver to remove.

[kevinf80]

Can you access that driver via your boot cd and remove it...?

[kevinf80]

No surprises with the dumps, the following drivers were responsible for the crashes:

terruxbe.sys
teruxbeh.sys

the first crash was dated the 5th Sept, I assume that was when the infection hit you.....

[Stanczyk]

It's gone. And for the first time, Malwarebytes Web Protection is 'On' !

MBAM threat detection only found the driver, which I renamed ' terknrux.sy_' and moved with the boot cd.

Edited September 21, 2017 by Stanczyk

[kevinf80]

Did you see my reply regarding the dump files..?

I want you to run RogueKiller;

Download RogueKiller and save it on your desktop, ensure to download correct version.. RogueKiller (X86) RogueKiller (x64)   Exit all running applications. Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue. If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon. Click "Start Scan" to begin the analysis. This may take some time. Once the scan is complete, click the "Open TXT" button to display the scan report. Copy/Paste it's content in your next reply. Do not use the delete function until I see the log... Thank you, Kevin

[Stanczyk]

Yes, the 5th was the day it happened.

 

RogueKiller V12.11.16.0 (x64) [Sep 18 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.15063) 64 bits version
Started in : Normal mode
User : List [Administrator]
Started from : C:\Users\List\Desktop\RogueKiller_portable64.exe
Mode : Scan -- Date : 09/21/2017 13:52:58 (Duration : 00:18:17)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 7 ¤¤¤
[PUP.Gen1][Folder] C:\ProgramData\Lavasoft\Web Companion -> Found
[PUP.OnlineIO|PUP.Gen1][Folder] D:\User\Roaming\AGData -> Found
[PUP.Gen1][Folder] D:\User\Roaming\Lavasoft\Web Companion -> Found
[PUP.OnlineIO|PUP.Gen1][File] D:\User\Roaming\Microsoft\Windows\Recent\AnonymizerGadget.zip.lnk [LNK@] D:\User\Roaming\AGData\bin\AnonymizerGadget.zip -> Found
[PUP.Gen1][Folder] C:\ProgramData\Lavasoft\Web Companion -> Found
[PUP.Gen1][Folder] C:\Program Files (x86)\Lavasoft\Web Companion -> Found
[PUP.Gen3][File] D:\User\Roaming\Mozilla\Firefox\Profiles\n0s9lrf3.default\searchplugins\bing-lavasoft.xml -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 3 ¤¤¤
[PUM.NewTab][Firefox:Config] n0s9lrf3.default : user_pref("browser.newtab.url", "http://www.bing.com/?pc=COSP&ptag=D090517-AD26CBEB7DD&form=CONMHP&conlogo=CT3335811"); -> Found
[PUM.SearchEngine][Firefox:Config] n0s9lrf3.default : user_pref("browser.search.selectedEngine", "Bing®"); -> Found
[PUM.SearchEngine][Firefox:Config] n0s9lrf3.default : user_pref("browser.search.defaultenginename", "Bing®"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST2000DM001-1ER164 +++++
--- User ---
[MBR] 17a740bb320244fa05e3e7336fcbc7a1
[BSP] ba176265c1b2b1c8672a03eb9056ea9f : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 1907600 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ADATA SP550 +++++
--- User ---
[MBR] a6729864f3bf3b3d9688323c0d9d3125
[BSP] 1f8717c2ec1f6bf742787dce0b009e4e : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 450 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 923648 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1128448 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1161216 | Size: 113905 MB
User = LL1 ... OK
User = LL2 ... OK

 

 

 

[kevinf80]

No sign of or reference to the infection..... What about the list of issues, reply #63, any improvement...

[Stanczyk]

Yes!

RKill.exe is working and no longer blocked, so there's progress. The Malwarebytes Anti Rootkit might work, and maybe the Windows Repair tool from Tweaking.com.

Edited September 21, 2017 by Stanczyk

[kevinf80]

I guess we should clean up, i`ll look back over the thread and see what we`ve used... back shortly..

[kevinf80]

To clean up do the following: MBAR, Tweaking.com, BlitzBlank and RogueKiller are portable, Delete them from desktop or the folder you ran them from... For ESET Delete the esetonlinescanner directory from the following location: %userprofile%\appdata\local\eset RogueKiller will have created a folder, that needs deleting from here: C:\ProgramData\RogueKiller Uninstall Sophos AV http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/ Next, Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down: "Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked:   Remove disinfection tools <----- this will remove tools we may have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

[Stanczyk]

Thank you very much, take care, expect a donation!

[kevinf80]

Yes I got the donation, thank you very much. It was a pleasure to work with you..

Regards,

Kevin

[kevinf80]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!