Rootkit Infection and BSOD

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by kimfudge, Aug 26, 2015.

  1. kimfudge

    kimfudge Private E-2

    Hello,

    My dad's computer was infected with some rootkit and other viruses. I couldn't download or run MBAM (or boot into safemode) so I used the bootable Kaspersky CD to run a scan and remote the rootkit. Unfortunately, the computer will no longer boot afer I removed the root kit. The BSOD is 0X0000007e. Here are the OTL logs from the boot cd I made.
     

    Attached Files:

    • OTL.txt
      File size:
      52.8 KB
      Views:
      11
    kimfudge, Aug 26, 2015
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OTL found alot. We'll deal with that later. Let's try another tool so that we can see about getting you to boot normally afterwards.

    [​IMG] For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)
     
    Kestrel13!, Aug 27, 2015
    #2
  3. kimfudge

    kimfudge Private E-2

    Unfortunately, this computer is running Windows XP, so I can't run the system recovery options. I have the oldtimer bootable LiveCD and Hiren's BootCD if that helps.
     
    kimfudge, Aug 27, 2015
    #3
  4. kimfudge

    kimfudge Private E-2

    My Mistake! Here is the Farber Log:

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:23-08-2015
    Ran by SYSTEM on REATOGO (23-08-2015 19:47:57)
    Running from E:\
    Platform: Microsoft Windows XP (X86) Language: English (United States)
    Internet Explorer Version 6
    Boot Mode: Recovery
    Default: ControlSet001
    ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    HKLM\...\Run: [nwiz] => nwiz.exe /install
    HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    HKLM\...\Run: [TrueImageMonitor.exe] => C:\Program Files\SonicWALL\SonicWALL Bare Metal Recovery and Local Archiving\TrueImageMonitor.exe [1165304 2007-05-03] (Acronis)
    HKLM\...\Run: [AcronisTimounterMonitor] => C:\Program Files\SonicWALL\SonicWALL Bare Metal Recovery and Local Archiving\TimounterMonitor.exe [1945416 2007-05-03] (Acronis)
    HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [149024 2007-05-03] (Acronis)
    HKLM\...\Run: [Acrobat Assistant 7.0] => C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [483328 2008-04-23] (Adobe Systems Inc.)
    HKLM\...\Run: [] => [X]
    HKLM\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [1679360 2012-02-28] (Wondershare)
    HKLM\...\Run: [MSConfig] => C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [169984 2008-04-14] (Microsoft Corporation)
    HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
    HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
    HKLM Group Policy restriction on software: C:\Program Files\SUPERAntiSpyware <====== ATTENTION
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dllATTENTION! ====> ZeroAccess?
    HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse] rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 224 more characters). <==== ATTENTION
    HKLM\...99B7938DA9E4}\LocalServer32: [a] #@~^A4EAAA==n{F+2i@#@&l{xAPzmOk7+p6(L+1O`r?1.rwDRUtnVsE*i@#@&S4k^+cne'c+b@#@&`@#@&7DDz@#@&i @#@&di (the data entry has 32951 more characters). <==== ATTENTION
    HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <===== ATTENTION
    HKU\owner\...\RunOnce: [TSClientMSIUninstaller] => cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
    HKU\owner\...\RunOnce: [TSClientAXDisabler] => C:\Windows\Installer\TSClientMsiTrans\tscdsbl.bat [2247 2008-01-19] ()
    HKU\Parts\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-11-30] (Google Inc.)
    HKU\Parts\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6697752 2014-11-25] (SUPERAntiSpyware)
    HKU\Parts\...\Run: [bddffedct] => "C:\Documents and Settings\All Users\Application Data\bddffedct.exe"
    HKU\Parts\...\Run: [hugwssoqsl] => regsvr32.exe /s "C:\Documents and Settings\Parts\Local Settings\Application Data\Adobe\hugwssoqsl.dll"
    Lsa: [Authentication Packages] msv1_0 relog_ap
    Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk [2011-01-24]
    ShortcutTarget: Adobe Acrobat Speed Launcher.lnk -> C:\WINDOWS\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe ()
    Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk [2011-01-11]
    ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
    Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk [2011-01-11]
    ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.)
    Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk [2011-01-11]
    ShortcutTarget: SideACT!.lnk -> C:\Program Files\ACT\SideACT.exe (Interact Commerce Corporation)

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-08-14] (SUPERAntiSpyware.com)
    S2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [407072 2007-05-03] (Acronis)
    S2 NvUpdSrv; C:\Program Files\NVIDIA Corporation\Updates\NvdUpd.exe [110592 2014-12-30] ()
    S3 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [X]
    S4 GamingWonderlandService; C:\PROGRA~1\GAMING~2\bar\1.bin\gtbarsvc.exe [X]

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S0 sisidex; C:\Windows\System32\drivers\sisidex.sys [32640 2003-08-08] (Windows (R) 2000 DDK provider)
    S3 SISNIC; C:\Windows\System32\DRIVERS\sisnic.sys [32768 2004-08-03] (SiS Corporation)
    S3 SISNICXP; C:\Windows\System32\DRIVERS\sisnicxp.sys [32768 2006-02-14] (SiS Corporation)
    S0 SiSRaid; C:\Windows\System32\DRIVERS\SiSRaid.sys [45568 2003-12-09] (Silicon Integrated Systems)
    S2 stdmfpam; C:\Program Files\HomeTab\stdmfpam.dll [61728 2014-11-08] ()
    S2 tifsfilter; C:\Windows\System32\DRIVERS\tifsfilt.sys [40064 2011-01-11] (Acronis)
    S1 bcgzvftl; \??\C:\WINDOWS\system32\drivers\bcgzvftl.sys [X]
    S3 BS2293111566; \??\C:\DOCUME~1\Parts\LOCALS~1\Temp\NTFS.sys [X]
    S1 cbqimngj; \??\C:\WINDOWS\system32\drivers\cbqimngj.sys [X]
    S1 ffoxeeez; \??\C:\WINDOWS\system32\drivers\ffoxeeez.sys [X]
    S1 flaltlmh; \??\C:\WINDOWS\system32\drivers\flaltlmh.sys [X]
    S1 gwboshei; \??\C:\WINDOWS\system32\drivers\gwboshei.sys [X]
    S1 hmbfolgc; \??\C:\WINDOWS\system32\drivers\hmbfolgc.sys [X]
    S4 IntelIde; no ImagePath
    S1 ixapywld; \??\C:\WINDOWS\system32\drivers\ixapywld.sys [X]
    S1 jzqptwgz; \??\C:\WINDOWS\system32\drivers\jzqptwgz.sys [X]
    S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
    S1 mpkxlzig; \??\C:\WINDOWS\system32\drivers\mpkxlzig.sys [X]
    S1 nlwptgwt; \??\C:\WINDOWS\system32\drivers\nlwptgwt.sys [X]
    S1 panprbcs; \??\C:\WINDOWS\system32\drivers\panprbcs.sys [X]
    S1 pjsyagmu; \??\C:\WINDOWS\system32\drivers\pjsyagmu.sys [X]
    S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)
    S4 SharedAccess; no ImagePath
    S1 WS2IFSL; no ImagePath

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2015-08-23 19:47 - 2015-08-23 19:47 - 00000000 ____D C:\FRST
    2015-08-23 17:32 - 2015-08-23 17:32 - 00000000 ____D C:\_OTL
    2015-08-21 18:38 - 2015-08-21 18:38 - 00060978 _____ C:\OTL.Txt
    2015-08-21 13:10 - 2015-08-21 13:11 - 24345872 _____ (Malwarebytes Corporation ) C:\mbam-setup-2.1.8.1057.exe
    2015-08-21 13:10 - 2015-08-21 13:10 - 02019656 _____ (Bleeping Computer, LLC) C:\iExplore.exe
    2015-08-21 13:09 - 2015-08-21 13:09 - 05635234 _____ (Swearware) C:\ComboFix.exe
    2015-08-20 13:36 - 2015-08-21 13:11 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
    2015-08-20 11:28 - 2015-08-20 11:28 - 00000000 ____D C:\Windows\pss
    2015-08-12 06:15 - 2015-08-12 06:18 - 00031293 _____ C:\Windows\ie8Uninst.log

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2015-08-21 12:21 - 2012-11-07 23:46 - 00000000 ____D C:\Documents and Settings\Parts\Local Settings\Application Data\ArcSoft
    2015-08-21 12:21 - 2011-01-10 18:16 - 00000000 ____D C:\Documents and Settings\Parts\Application Data\Mozilla
    2015-08-20 11:28 - 2011-05-19 20:25 - 00000216 _____ C:\Windows\wiadebug.log
    2015-08-20 11:28 - 2011-05-19 20:25 - 00000049 _____ C:\Windows\wiaservc.log
    2015-08-20 11:28 - 2011-01-10 20:05 - 00000278 ___SH C:\Documents and Settings\Parts\ntuser.ini
    2015-08-20 11:28 - 2011-01-10 18:53 - 00032566 _____ C:\Windows\SchedLgU.Txt
    2015-08-20 11:28 - 2011-01-10 18:49 - 01343256 _____ C:\Windows\WindowsUpdate.log
    2015-08-20 11:28 - 2011-01-10 10:41 - 00000229 ___SH C:\boot.ini
    2015-08-20 11:28 - 2006-02-28 07:00 - 00000837 _____ C:\Windows\win.ini
    2015-08-20 11:28 - 2006-02-28 07:00 - 00000227 _____ C:\Windows\system.ini
    2015-08-20 11:22 - 2011-01-10 20:05 - 00000000 ____D C:\Documents and Settings\Parts\Local Settings\Temp
    2015-08-20 11:22 - 2011-01-10 18:23 - 00088566 _____ C:\Windows\System32\nvapps.xml
    2015-08-20 11:22 - 2006-02-28 07:00 - 00013646 _____ C:\Windows\System32\wpa.dbl
    2015-08-18 23:11 - 2013-08-05 13:06 - 00000000 ____D C:\Program Files\HomeTab
    2015-08-12 06:23 - 2011-02-05 01:58 - 00103012 _____ C:\Windows\setupact.log
    2015-08-12 06:19 - 2011-01-10 10:35 - 00000000 ____D C:\Windows\Help
    2015-08-12 06:18 - 2011-02-10 00:21 - 00949152 ____C C:\Windows\iis6.log
    2015-08-12 06:18 - 2011-02-10 00:21 - 00339410 ____C C:\Windows\tsoc.log
    2015-08-12 06:18 - 2011-02-10 00:21 - 00233905 ____C C:\Windows\comsetup.log
    2015-08-12 06:18 - 2011-02-10 00:21 - 00149243 ____C C:\Windows\ntdtcsetup.log
    2015-08-12 06:18 - 2011-02-10 00:21 - 00040382 ____C C:\Windows\ocmsn.log
    2015-08-12 06:18 - 2011-02-10 00:21 - 00033277 ____C C:\Windows\tabletoc.log
    2015-08-12 06:18 - 2011-02-10 00:21 - 00001374 _____ C:\Windows\imsins.log
    2015-08-12 06:18 - 2011-01-10 18:53 - 00000000 ____D C:\Windows\ie8updates
    2015-08-12 06:17 - 2011-02-10 00:21 - 00052318 ____C C:\Windows\updspapi.log
    2015-08-12 06:16 - 2011-02-10 00:21 - 00699951 ____C C:\Windows\FaxSetup.log
    2015-08-12 06:16 - 2011-02-10 00:21 - 00396040 ____C C:\Windows\ocgen.log
    2015-08-12 06:16 - 2011-02-10 00:21 - 00251464 ____C C:\Windows\msmqinst.log
    2015-08-12 06:16 - 2011-02-10 00:21 - 00123643 ____C C:\Windows\netfxocm.log
    2015-08-12 06:16 - 2011-02-10 00:21 - 00051097 ____C C:\Windows\MedCtrOC.log
    2015-08-12 06:16 - 2011-02-10 00:21 - 00037075 ____C C:\Windows\msgsocm.log
    2015-08-12 06:08 - 2014-09-19 12:35 - 00000000 ____D C:\Documents and Settings\Parts\Local Settings\Application Data\AskToolbar

    ZeroAccess:
    C:\RECYCLER\S-1-5-21-1614895754-1767777339-682003330-1004\$8bbcad7078f69c41886e3c6bbd163016

    Some files in TEMP:
    ====================
    C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-fc17fe0f.exe

    ==================== Known DLLs (Whitelisted) =========================


    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    C:\Windows\System32\dnsapi.dll => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== Restore Points (XP) =====================


    ==================== Memory info ===========================

    Percentage of memory in use: 13%
    Total physical RAM: 2047.23 MB
    Available physical RAM: 1773.24 MB
    Total Virtual: 1877.89 MB
    Available Virtual: 1806.18 MB

    ==================== Drives ================================

    Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
    Drive c: () (Fixed) (Total:298.08 GB) (Free:270.54 GB) NTFS ==>[drive with boot components (Windows XP)]
    Drive e: () (Removable) (Total:1.86 GB) (Free:0.73 GB) FAT
    Drive x: (ReatogoPE) (CDROM) (Total:0.28 GB) (Free:0 GB) CDFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows XP) (Size: 298.1 GB) (Disk ID: B8B9B8B9)
    Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (Size: 1.9 GB) (Disk ID: 0030EAF3)
    Partition 1: (Active) - (Size=1.9 GB) - (Type=06)

    ==================== End of log ============================
     
    kimfudge, Aug 27, 2015
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Have you got your XP boot cd?
     
    Kestrel13!, Aug 27, 2015
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Excellent :) Give me a few moments to work up a fix.
     
    Kestrel13!, Aug 27, 2015
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes you have a zeroaccess infection, this fix should clear it up...

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Attached is fixlist.txt
    • Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST.exe on your flash drive.

    Now re-enter System Recovery Options.
    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (How to attach)


    Are you now able to boot normally?
     

    Attached Files:

    Kestrel13!, Aug 27, 2015
    #7
  8. kimfudge

    kimfudge Private E-2

    I ran the tool and the fixlist is attached. The computer still BSODs on start and will not let me access Safe Mode.
     

    Attached Files:

    kimfudge, Aug 27, 2015
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    But can you now boot normally? In normal mode?
     
    Kestrel13!, Aug 28, 2015
    #9
  10. kimfudge

    kimfudge Private E-2

    No, it still BSODs.
     
    kimfudge, Aug 28, 2015
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I apologise. You did say that. ;)

    Can you run FRST again like you did before and attach a new log please.
     
    Kestrel13!, Aug 28, 2015
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds