rootkit infection

[mommysews]

Good afternoon!

Our daughter began having problems yesterday afternoon after visiting several websites - "Pottermore", "Slice TV" and something she says was about baseball training tips (helpful, eh?).

She is running just the basic Acer AspireOne netbook.

The problem began with one of those "your system is infected" pop-ups. She says that she tried to close by "x" each time, but that the pop-ups continued. I ran her Avira, and MBAM and SAS. MBAM identified 2 rootkits and 2 Trojans (.small?). Avira said it was blocking an unidentified program with each reboot. After several runs, it seemed that 2 of the problems were removed (or at least didn't appear in the logs anymore).

Today I did the download, update & run of all the steps in the Read Me & Run First section.
I disconnected from the internet while I ran the scans.
Logs are attached in the next message.
Only Root Repeal would not run. I will also attach those crash logs.

Now, upon reconnecting to the internet, I have had an attempted site redirect blocked by Firefox on each page I opened to get here. There may also have been an automatic opening of IE as well (although I may have inadvertently hit that myself). I shut down IE immediately.

Although the logs may not show an AntiVirus, she is running an updated Avira. I tried deleting it when I couldn't get it to shut down completely for ComboFix to run. I ran two ComboFix sessions - one with Avira still hanging on and one with it uninstalled. I'll include the one with Avira uninstalled, but I do have both, if needed.
Avira was reinstalled & undated after finishing the scans.

Thanks for any help that you can offer!

[mommysews]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/08/2012 at 01:01 PM

Application Version : 5.0.1150

Core Rules Database Version : 8704
Trace Rules Database Version: 6516

Scan type : Complete Scan
Total Scan Time : 00:59:39

Operating System Information
Windows 7 Starter 32-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned : 777
Memory threats detected : 0
Registry items scanned : 33663
Registry threats detected : 0
File items scanned : 34333
File threats detected : 0



Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.07.05

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Hannah :: HANNAH-PC [administrator]

07/06/2012 10:22:30 PM
mbam-log-2012-06-07 (22-22-30).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 258933
Time elapsed: 1 hour(s), 55 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Hannah\AppData\Local\{a30b859a-d19c-9a07-acf9-ad0b61c72d38}\n (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{a30b859a-d19c-9a07-acf9-ad0b61c72d38}\U\00000001.@ (Trojan.Small) -> Quarantined and deleted successfully.

(end)

[mommysews]

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows Vista SP1
Exception Code: 0xc0000005
Exception Address: 0x00429d13
Attempt to write to address: 0x0130a000

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows Vista SP1
Exception Code: 0xc0000005
Exception Address: 0x778e63f8
Attempt to read from address: 0xbdd70977

[Kestrel13!]

You need to take a look at this.

HOW TO: Attach Items To Your Post

Please attach logs do not post inline!

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run


Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

[mommysews]

Thank you Kestrel13!

I have attached the scans as directed. I do hope that I have done them correctly this time.

I will wait to hear back from you.

[Kestrel13!]

Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode, if you haven't done so already.

Please follow these instructions.

Proxy Server - Changing Settings



Could you please get this: secret.sys into a zipped file and attach it for me in your next post? To do this, see the below:

Please go to start > Run and paste in the following:

Quote:

%systemdrive%\MGTools\zip "%systemdrive%\collect.zip" C:\Windows\System32\drivers\secret.sys

log retrievable @ C:\collect.zip



Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

[mommysews]

Thanks again Kestrel13!

The machine was in normal startup. I did confirm this and did reboot (just to be sure).

I checked and neither IE or Firefox were running through Proxy servers.

I zipped the file "secret.sys". It is attached. As I was doing this, I remembered that I tried renaming Root Repeal when it wouldn't run the first time to see if that would help. I think that I renamed it "secret" and then deleted that version when it wouldn't run either. I wonder if this is what the file may be. Whoops, sorry.

I ran the MGTools\GetLogs.bat file as admin. Log is attached.
I did get notice from Avira that it denied access to the host file (??). Should I disable Avira and run it again?

Thank you. I will await your reply most patiently. Your help is most appreciated.

[Kestrel13!]

Does the C:\Windows\System32\drivers\secret.sys file seem familiar to you? I am going to go for it's deletion in the next step if you do not know what it relates to. Can you navigate to the file, and right click it to check it's properties at all?

[mommysews]

Hello again Kestrel13!

I am so sorry that I have taken so long to respond. I just realized that majorgeeks.com emails me of an update to the thread at 12:02 each day - not actually when a post is made. I was curious as to why I always heard back from you at exactly 12:02 (midnight). I will watch the website directly from now on so that we may get this silly mess resolved more expediently.

Anyway ... I just located and deleted the file at:
C:\Windows\System32\drivers\secret.sys
I then ran Piriform's CleanUp (my favourite utility) and rebooted. Hopefully this was the correct way to remove it. When I checked the properties on the file, it appeared that it was created at the same time that I was downloading and extracting RootRepeal (that would not run). I do remember attempting a re-name of RootRepeal, so that is most likely what the file secret.sys was. There shouldn't have been anything else that loaded at that time.

I am not noticing that it has made any difference at all.
Were the other logs okay?
Weird.

Is there anything else that I should do?

Thanks again for your help and patience.

[Kestrel13!]

• Scan with Malware Bytes again and attach the new log.
• Perform a full system scan with avira and let me know of the results.

[mommysews]

Hi again,

Oh shootI just did the scans and ran a quick Avira, not a full one. Okay, I will attach those logs and then run a full Avira scan - those seem to take forever (2 hours). I will post that as soon as it is done.

It seems that I only get the Firefox auto re-direct block when I try and come to or change pages within Majorgeeks. Weird.

Thanks again. |More later.

[Kestrel13!]

Quote:

Now, upon reconnecting to the internet, I have had an attempted site redirect blocked by Firefox on each page I opened to get here. There may also have been an automatic opening of IE as well (although I may have inadvertently hit that myself). I shut down IE immediately.

Go to Firefox/Tools > Options > Advanced > General > Accessibility > "Warn me when web sites try to redirect or reload the page" <--- Uncheck this!