rootkit.0access & google redirection

I had previously been using AVG and Malwarebytes to keep a clean system. About three weeks ago I started having problems. I actually thought it was Google that was having the problem. When I started getting LOTS of AVG threat detections and system lock ups, I knew I had to dig deeper.

Followed the instructions in READ ME. Downloaded everything successfully. Uninstalled Malwarebytes to prep for mb.exe, and used the AVG removal tool.

Attached is SuperAntiSpyware log and Malwarebytes log.

 

As I said, I used the AVG removal tool and then proceeded to do the combofix.
Following the advice I tried to shut down the Windows firewall, but I got errors. I then tried to run combofix, rootrepeal and MGtools. None seemed successful.

Attached is a Word doc that shows screenshots of some of the issues.

I still get redirected in Google, and I was still getting AVG threat detections until I removed AVG.

 

Hi and welcome to Major Geeks, raycyrx!

I want you to read and follow these instructions: TDSSKiller - How to run

Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)

 

TDSSkiller and RogueKiller run.
Logs attached.

 

Ok good that removed a couple of different rootkits.

Here is what is next:

Re-scan with TDSSKiller with the parameters you used before.
This time if TDSS File System appears, delete it!
Then attach the latest TDSSKiller log. (How to attach)

Open RogueKiller again.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and find: C:\Users\Ken\AppData\Local\Temp\\setup2683256136.exe
Place a checkmark in this box, leave the others unchecked.
Now press the Delete button.
After you've pressed the Delete button, also press the ProxyFix button.
When it is finished, there will be two new logs on your desktop called: RKreport[3].txt, and RKreport[4].txt
Attach RKreport[3].txt and RKreport[4].txt to your next message. (How to attach)

Now download a NEW copy of ComboFix from here.
Save it to your desktop and try to run it.
Attach the log (C:\ComboFix.txt) when it is finished. (How to attach)

 

I followed the instructions.
TDSSKiller and RogueKiller seemed to work just fine.

I downloaded from your link ComboFix and ran it.
In spite of having previously used the AVG removal tool, ComboFix found AVG running and supplied a message box telling me to close it down or damage may occur. I opened up the process monitoring program I use (made by Systemics I think) and found nothing AVG related running. The ComboFix message window only had an OK button so I clicked it. Another message window came up saying that AVG was still running and that I have been warned damage may occur. Again, only an OK button, no way to escape out, so I clicked the upper right hand corner X to close the message without okaying it, and ComboFix went continued with its process.

It made a System Restore point and began a scan that said it could take 10 minutes or double depending on the extent of infection. 20 minutes later a message window opened saying that XCALCS was having trouble running. It had a close program button only. Several hours later (I fell asleep) I clicked close program and ComboFix continued.

I fell asleep again and woke up to see the computer was rebooting. When it came to the logon screen I didn't touch anything thinking that ComboFix may have a reboot cycle (or several) built into it. The logon screen disappeared and it went into a reboot again. After several of these cycles, I tried my login when that appeared. When I entered it, it gave me a message saying that something was damaged and it rebooted. It did not tell me my password was invalid. I tried that one more time and noticed this time that prior to entering the password, the mouse functioned normally, and I used it to click on the enter arrow of the Windows login. The result was the same (including mouse lock up).

I unplugged the machine and removed the battery to stop the cycle, and went back to sleep.

This morning I tried a boot up, and it started a Windows Startup Recovery cycle. When it got to the point of asking me if I wanted to run System Restore, I clicked cancel. It then told me that Windows Startup Recovery could not be canceled (even though all I cancelled was the option to run System Restore). Windows Startup Recovery continued to spool, so I held the power button down to force a shut off.

That's the last I left it.
Obviously, I can't post the logs since I can't get into Windows (7 btw).

 

Are you able to tap the F8 key when the computer is attempting to boot and go into the Advanced Boot Options Menu?

You will see a list like the below:



Can you choose "Disable datomatic restart on system failure".

Let me know exactly what happens when you do this.

 

I only get two options:
Start Windows Normally
Launch Startup Repair (recommended)

 

Try again. Remember to press the F8 key continuously whenever the system is booting - right AFTER the ACER splash screen.

 

Holding down the F8 key allowed me to disable auto restart on system failure. I got into Windows and received an error message that said the Recycle Bin on C:\ was corrupted and do I want to empty it?

 

Yes.

Then attach the logs requested earlier.

Also let me know what malware related problems you are still experiencing.

 

Logged in to Windows using "Disable restart..."
Emptied recycle bin.
Just got Windows Explorer open to see that I had RKreport[3].txt and RKreport[4].txt on my desktop as the latest files. The computer then restarted on me.

Same thing on retry.

 

You may be having a hardware related problem as well.

Try booting into Safe Mode with Networking and let me know if the system still reboots on its own.

You should be able to attach the logs while in Safe Mode with Networking if the system does not restart.

 

RKreport[3].txt and RKreport[4].txt

 

Ok, now follow these instructions: Using MGtools

 

No combofix log at the C:\ root.
Here is TDSSkiller log

 

Done

 

The file I need is c:\MGlogs.zip

 

Since you also appear to be infected with the latest variant of ZeroAccess, I'd like you to also scan with this:

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  netbt.sys
  nsiproxy.sys
  svchost.exe
  tcpip.sys
  tdx.sys
  /md5stop
  %windir%\system32\*.dll /30
  %windir%\system32\*.dll /lockedfiles
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach OTL.txt to your next message. (How to attach)

 

c:\MGlogs.zip doesn't exist.
Downloading OTL now.

 

OTL.txt was too big to upload, so I zipped it.

 

From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 22

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Reset Registry Permissions
  • Repair WMI
  • Repair Windows Firewall
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Unhide Non System Files
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV - [2009/07/13 20:14:41 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Stopped] -- C:\Windows\System32\a016mdfl.dll -- (bufserv)
NetSvcs: bufserv - C:\Windows\System32\a016mdfl.dll (Oak Technology Inc.)
[2009/07/13 18:19:28 | 000,005,632 | ---- | C] (Oak Technology Inc.) -- C:\windows\System32\a016mdfl.dll
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\avgthb@avg.com: C:\Program Files\AVG\AVG2012\Thunderbird\
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
[2012/02/21 19:24:30 | 000,000,000 | ---D | C] -- C:\Users\Ken\AppData\Local\{8C78E68E-6AAC-4B27-B6CD-8FC56D3C10D1}
[2011/06/12 07:00:53 | 000,009,110 | -HS- | C] () -- C:\Users\Ken\AppData\Local\80b8pg205i3703f7k01v8p6t64t7nml47ly
[2011/06/12 07:00:53 | 000,001,324 | -HS- | C] () -- C:\ProgramData\80b8pg205i3703f7k01v8p6t64t7nml47ly
@Alternate Data Stream - 16 bytes -> C:\Users\Ken\Downloads:Shareaza.GUID
[COLOR="DarkRed"]:files[/COLOR]
xcopy /h/i/s/y "%temp%\smtmp\1" "%programdata%\start menu" /c
xcopy /h/i/s/y "%temp%\smtmp\2" "%appdata%\microsoft\internet explorer\quick launch" /c
xcopy /h/i/s/y "%temp%\smtmp\3" "%appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar" /c
xcopy /h/i/s/y "%temp%\smtmp\4" "%programdata%\desktop" /c
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

Java would not uninstall.
I did not proceed to run Windows repair since it indicated the system should be clean first.

 

That's because you're in some sort of Safe Mode where Windows installer isn't automatically started. You can skip this step for now if Normal Windows is rebooting automatically.

In your case, you need to proceed anyways. Remember to only check the items I have listed.

 

Proceeding to run Windows Repair.
Should I run OTL also?

 

Yes

The OTL fix should address MOST of your malware related problems. Hopefully after that it is just a matter of fixing the residual OS damage caused by the rootkit e.g. Windows Firewall.

 

OTL log attached. It did not date itself... it wrote over the previous file.

I also tried to boot with the auto restart disabled in order to uninstall Java, and it was still rebooting before any work could be done.

 

This is an OTL scan log. I need the OTL fix log. You have not run the fix yet according to this log. Reread the OTL fix instructions at post #22.

 

Whoops... sorry about that.
I clearly didn't read closely enough.

Here is the OTL fix log.

I also was able to log in using Disable Restart mode, and so far, so good (10 minutes). So I ran the uninstall of Java. It seems to be gone (it's gone from the uninstall list), but I got the attached error during the process.

 

We'll worry about this later. We still need to check for malware.

I'd like you to rescan with TDSSKiller and attach its latest log. (How to attach)

I would also like you to download a new copy of ComboFix.
Save it to your desktop. Delete the old copy first as you may not be able to overwrite it.

Then try running ComboFix using these instructions:

1. Press the Windows Logo in the bottom left corner of your screen.
2. In the box, enter ComboFix /nombr and press Enter.

If it runs this time, attach c:\ComboFix.txt (How to attach)

 

Just a heads up that this is the same thing as Normal Mode. I just wanted you to try Disable automatic restart upon system failure to obtain what blue screen error code you were getting.

Feel free to just log in normally without using an F8 option.

 

Logs attached.

 

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

MGtools zip log attached.

 

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\system32\dds_trash_log.cmd
C:\Windows\temp\SEP66B4.tmp
[COLOR="DarkRed"]Folder::[/COLOR]
C:\windows\$NtUninstallKB5332$
C:\$AVG
[COLOR="DarkRed"]MIA::[/COLOR]
c:\windows\system32\drivers\cdrom.sys
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

According to your logs the Windows Firewall is functioning properly. Let me know if this is not the case.

Let me know how the system is running after you have completed these steps.

 

I have a question before I proceed.
The ComboFix I downloaded during READ AND RUN ME is gone. You had me download a different version after R&RM, and that is what is on my desktop.

Should I go back to the links within R&RM to get the previous version before I proceed?

 

You do not have to but you can if you want.

 

Logs attached.

Computer is running much better. No redirects from Google or other search sites.

 

Glad to hear that

Just one minor trace left:

• C:\Users\Ken\AppData\Roaming\Microsoft\Windows\Templates\80b8pg205i3703f7k01v8p6t64t7nml47ly

Delete this by using Windows Explorer. Let me know if you have any problems deleting it.

Also can you double-check if this folder is still present:
C:\windows\$NtUninstallKB5332$
If it is, can you try deleting it. Let me know if you have any problems deleting it.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

C:\Users\Ken\AppData\Roaming\Microsoft\Windows\Templates\80b8pg205i3703f7k01v8p6t64t7nml47ly deleted just fine. Same with C:\windows\$NtUninstallKB5332$

I've been using Malwarebytes for a while. You mention that unless I PURCHASE it, it provides no protection. Do I need to PURCHASE SuperAntiSpyware also?

Also, I don't see anything about AVG in your post or "How to Protect..."
Do you recommend against AVG?


I am noticing that Sync Center doesn't seem to be connecting to my wife's nor my Windows smartphones. I use Sync Center to keep our calendar (through Outlook). Is there anything in particular I need to do to get them working again?

 

It basically means that unless purchased, MBAM doesn't offer "Real-time Protection" / "Auto-Protection", sort of like an Antivirus suite.

That is your decision. If you like to learn more about the differences between the Free and PRO versions of SAS read here.

It is not my post but I believe AVG was removed from the recommendations due it using too many resources in some of the latest builds.

I do not know. You should inquire about this in the Software forum.

 

I'm installing Comodo and choosing to use both anti-virus and firewall. The install is asking if I want to use Comodo Secure DNS servers.

I can't call myself a networking wizard. What I do know is that my home network sometimes doesn't work such that I can't see the shares of my desktop from my laptop, or wirelessly print from my laptop. Right now, the network seems to be working ok, so I'm nervous about fooling with it.

Would using Comodo Secure DNS servers mess with such home networking, or other wireless connections? Is it recommended in general?

 

Hi,

Their DNS servers shouldn't worsen things. I personally have not tried out Comodo so I can't really relay my experiences with it to you.

This is how I would approach this scenario too. If it's not broken; I wouldn't fool around with it