rootkit infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mommysews, Jun 8, 2012.

  1. mommysews

    mommysews Private E-2

    Good afternoon!

    Our daughter began having problems yesterday afternoon after visiting several websites - "Pottermore", "Slice TV" and something she says was about baseball training tips (helpful, eh?).

    She is running just the basic Acer AspireOne netbook.

    The problem began with one of those "your system is infected" pop-ups. She says that she tried to close by "x" each time, but that the pop-ups continued. I ran her Avira, and MBAM and SAS. MBAM identified 2 rootkits and 2 Trojans (.small?). Avira said it was blocking an unidentified program with each reboot. After several runs, it seemed that 2 of the problems were removed (or at least didn't appear in the logs anymore).

    Today I did the download, update & run of all the steps in the Read Me & Run First section.
    I disconnected from the internet while I ran the scans.
    Logs are attached in the next message.
    Only Root Repeal would not run. I will also attach those crash logs.

    Now, upon reconnecting to the internet, I have had an attempted site redirect blocked by Firefox on each page I opened to get here. There may also have been an automatic opening of IE as well (although I may have inadvertently hit that myself). I shut down IE immediately.

    Although the logs may not show an AntiVirus, she is running an updated Avira. I tried deleting it when I couldn't get it to shut down completely for ComboFix to run. I ran two ComboFix sessions - one with Avira still hanging on and one with it uninstalled. I'll include the one with Avira uninstalled, but I do have both, if needed.
    Avira was reinstalled & undated after finishing the scans.

    Thanks for any help that you can offer!
     
  2. mommysews

    mommysews Private E-2

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 06/08/2012 at 01:01 PM

    Application Version : 5.0.1150

    Core Rules Database Version : 8704
    Trace Rules Database Version: 6516

    Scan type : Complete Scan
    Total Scan Time : 00:59:39

    Operating System Information
    Windows 7 Starter 32-bit, Service Pack 1 (Build 6.01.7601)
    UAC Off - Administrator

    Memory items scanned : 777
    Memory threats detected : 0
    Registry items scanned : 33663
    Registry threats detected : 0
    File items scanned : 34333
    File threats detected : 0



    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.06.07.05

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Hannah :: HANNAH-PC [administrator]

    07/06/2012 10:22:30 PM
    mbam-log-2012-06-07 (22-22-30).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 258933
    Time elapsed: 1 hour(s), 55 minute(s),

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\Users\Hannah\AppData\Local\{a30b859a-d19c-9a07-acf9-ad0b61c72d38}\n (Rootkit.0Access) -> Quarantined and deleted successfully.
    C:\Windows\Installer\{a30b859a-d19c-9a07-acf9-ad0b61c72d38}\U\00000001.@ (Trojan.Small) -> Quarantined and deleted successfully.

    (end)
     
  3. mommysews

    mommysews Private E-2

    ROOTREPEAL CRASH REPORT
    -------------------------
    Windows Version: Windows Vista SP1
    Exception Code: 0xc0000005
    Exception Address: 0x00429d13
    Attempt to write to address: 0x0130a000

    ROOTREPEAL CRASH REPORT
    -------------------------
    Windows Version: Windows Vista SP1
    Exception Code: 0xc0000005
    Exception Address: 0x778e63f8
    Attempt to read from address: 0xbdd70977
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You need to take a look at this.

    HOW TO: Attach Items To Your Post

    Please attach logs do not post inline!

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
     
  5. mommysews

    mommysews Private E-2

    Thank you Kestrel13!

    I have attached the scans as directed. I do hope that I have done them correctly this time.

    I will wait to hear back from you.
     

    Attached Files:

  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode, if you haven't done so already.

    Please follow these instructions.

    Proxy Server - Changing Settings



    Could you please get this: secret.sys into a zipped file and attach it for me in your next post? To do this, see the below:

    Please go to start > Run and paste in the following:

    log retrievable @ C:\collect.zip



    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  7. mommysews

    mommysews Private E-2

    Thanks again Kestrel13!

    The machine was in normal startup. I did confirm this and did reboot (just to be sure).

    I checked and neither IE or Firefox were running through Proxy servers.

    I zipped the file "secret.sys". It is attached. As I was doing this, I remembered that I tried renaming Root Repeal when it wouldn't run the first time to see if that would help. I think that I renamed it "secret" and then deleted that version when it wouldn't run either. I wonder if this is what the file may be. Whoops, sorry.

    I ran the MGTools\GetLogs.bat file as admin. Log is attached.
    I did get notice from Avira that it denied access to the host file (??). Should I disable Avira and run it again?

    Thank you. I will await your reply most patiently. Your help is most appreciated.
     

    Attached Files:

  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Does the C:\Windows\System32\drivers\secret.sys file seem familiar to you? I am going to go for it's deletion in the next step if you do not know what it relates to. Can you navigate to the file, and right click it to check it's properties at all? :confused
     
  9. mommysews

    mommysews Private E-2

    Hello again Kestrel13!

    I am so sorry that I have taken so long to respond. I just realized that majorgeeks.com emails me of an update to the thread at 12:02 each day - not actually when a post is made. I was curious as to why I always heard back from you at exactly 12:02 (midnight). I will watch the website directly from now on so that we may get this silly mess resolved more expediently.

    Anyway ... I just located and deleted the file at:
    C:\Windows\System32\drivers\secret.sys
    I then ran Piriform's CleanUp (my favourite utility) and rebooted. Hopefully this was the correct way to remove it. When I checked the properties on the file, it appeared that it was created at the same time that I was downloading and extracting RootRepeal (that would not run). I do remember attempting a re-name of RootRepeal, so that is most likely what the file secret.sys was. There shouldn't have been anything else that loaded at that time.

    I am not noticing that it has made any difference at all.
    Were the other logs okay?
    Weird.

    Is there anything else that I should do?

    Thanks again for your help and patience.
     
    Last edited: Jun 13, 2012
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    • Scan with Malware Bytes again and attach the new log.
    • Perform a full system scan with avira and let me know of the results.
     
  11. mommysews

    mommysews Private E-2

    Hi again,

    Oh shootI just did the scans and ran a quick Avira, not a full one. Okay, I will attach those logs and then run a full Avira scan - those seem to take forever (2 hours). I will post that as soon as it is done.

    It seems that I only get the Firefox auto re-direct block when I try and come to or change pages within Majorgeeks. Weird.

    Thanks again. |More later.
     

    Attached Files:

  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Go to Firefox/Tools > Options > Advanced > General > Accessibility > "Warn me when web sites try to redirect or reload the page" <--- Uncheck this! :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds