MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 06-08-12, 16:06
mommysews's Avatar
mommysews mommysews is offline
Private First Class
 
Join Date: Jan 2009
Location: the Great White North
Posts: 42
Thanks: 11
Thanked 0 Times in 0 Posts
Default rootkit infection

Good afternoon!

Our daughter began having problems yesterday afternoon after visiting several websites - "Pottermore", "Slice TV" and something she says was about baseball training tips (helpful, eh?).

She is running just the basic Acer AspireOne netbook.

The problem began with one of those "your system is infected" pop-ups. She says that she tried to close by "x" each time, but that the pop-ups continued. I ran her Avira, and MBAM and SAS. MBAM identified 2 rootkits and 2 Trojans (.small?). Avira said it was blocking an unidentified program with each reboot. After several runs, it seemed that 2 of the problems were removed (or at least didn't appear in the logs anymore).

Today I did the download, update & run of all the steps in the Read Me & Run First section.
I disconnected from the internet while I ran the scans.
Logs are attached in the next message.
Only Root Repeal would not run. I will also attach those crash logs.

Now, upon reconnecting to the internet, I have had an attempted site redirect blocked by Firefox on each page I opened to get here. There may also have been an automatic opening of IE as well (although I may have inadvertently hit that myself). I shut down IE immediately.

Although the logs may not show an AntiVirus, she is running an updated Avira. I tried deleting it when I couldn't get it to shut down completely for ComboFix to run. I ran two ComboFix sessions - one with Avira still hanging on and one with it uninstalled. I'll include the one with Avira uninstalled, but I do have both, if needed.
Avira was reinstalled & undated after finishing the scans.

Thanks for any help that you can offer!
Reply With Quote
Sponsored links
  #2  
Old 06-08-12, 16:08
mommysews's Avatar
mommysews mommysews is offline
Private First Class
 
Join Date: Jan 2009
Location: the Great White North
Posts: 42
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: rootkit infection

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/08/2012 at 01:01 PM

Application Version : 5.0.1150

Core Rules Database Version : 8704
Trace Rules Database Version: 6516

Scan type : Complete Scan
Total Scan Time : 00:59:39

Operating System Information
Windows 7 Starter 32-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned : 777
Memory threats detected : 0
Registry items scanned : 33663
Registry threats detected : 0
File items scanned : 34333
File threats detected : 0



Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.07.05

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Hannah :: HANNAH-PC [administrator]

07/06/2012 10:22:30 PM
mbam-log-2012-06-07 (22-22-30).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 258933
Time elapsed: 1 hour(s), 55 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Hannah\AppData\Local\{a30b859a-d19c-9a07-acf9-ad0b61c72d38}\n (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{a30b859a-d19c-9a07-acf9-ad0b61c72d38}\U\00000001.@ (Trojan.Small) -> Quarantined and deleted successfully.

(end)
Reply With Quote
  #3  
Old 06-08-12, 16:13
mommysews's Avatar
mommysews mommysews is offline
Private First Class
 
Join Date: Jan 2009
Location: the Great White North
Posts: 42
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: rootkit infection

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows Vista SP1
Exception Code: 0xc0000005
Exception Address: 0x00429d13
Attempt to write to address: 0x0130a000

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows Vista SP1
Exception Code: 0xc0000005
Exception Address: 0x778e63f8
Attempt to read from address: 0xbdd70977
Attached Files
File Type: zip MGlogs.zip (234.6 KB, 3 views)
Reply With Quote
  #4  
Old 06-10-12, 05:29
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,680
Thanks: 952
Thanked 3,688 Times in 3,592 Posts
Default Re: rootkit infection

You need to take a look at this.

HOW TO: Attach Items To Your Post

Please attach logs do not post inline!

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run


Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some information that will contain either the below line if no problem is found:
    • Done! Press ENTER to exit...
  • Or you will see more information like below if a problem is found:
    • Found non-standard or infected MBR.
    • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
  • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #5  
Old 06-11-12, 00:11
mommysews's Avatar
mommysews mommysews is offline
Private First Class
 
Join Date: Jan 2009
Location: the Great White North
Posts: 42
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: rootkit infection

Thank you Kestrel13!

I have attached the scans as directed. I do hope that I have done them correctly this time.

I will wait to hear back from you.
Attached Files
File Type: txt MBRCheck_06.11.12_00.55.37.txt (13.9 KB, 4 views)
File Type: txt TDSSKiller.2.7.36.0_11.06.2012_00.37.19_log.txt (240.0 KB, 4 views)
Reply With Quote
Sponsored links
  #6  
Old 06-11-12, 16:44
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,680
Thanks: 952
Thanked 3,688 Times in 3,592 Posts
Default Re: rootkit infection

Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode, if you haven't done so already.

Please follow these instructions.

Proxy Server - Changing Settings



Could you please get this: secret.sys into a zipped file and attach it for me in your next post? To do this, see the below:

Please go to start > Run and paste in the following:

Quote:
%systemdrive%\MGTools\zip "%systemdrive%\collect.zip" C:\Windows\System32\drivers\secret.sys
log retrievable @ C:\collect.zip



Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #7  
Old 06-12-12, 00:19
mommysews's Avatar
mommysews mommysews is offline
Private First Class
 
Join Date: Jan 2009
Location: the Great White North
Posts: 42
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: rootkit infection

Thanks again Kestrel13!

The machine was in normal startup. I did confirm this and did reboot (just to be sure).

I checked and neither IE or Firefox were running through Proxy servers.

I zipped the file "secret.sys". It is attached. As I was doing this, I remembered that I tried renaming Root Repeal when it wouldn't run the first time to see if that would help. I think that I renamed it "secret" and then deleted that version when it wouldn't run either. I wonder if this is what the file may be. Whoops, sorry.

I ran the MGTools\GetLogs.bat file as admin. Log is attached.
I did get notice from Avira that it denied access to the host file (??). Should I disable Avira and run it again?

Thank you. I will await your reply most patiently. Your help is most appreciated.
Attached Files
File Type: zip collect.zip (18.8 KB, 1 views)
File Type: zip MGlogs.zip (248.7 KB, 0 views)
Reply With Quote
  #8  
Old 06-12-12, 09:15
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,680
Thanks: 952
Thanked 3,688 Times in 3,592 Posts
Default Re: rootkit infection

Does the C:\Windows\System32\drivers\secret.sys file seem familiar to you? I am going to go for it's deletion in the next step if you do not know what it relates to. Can you navigate to the file, and right click it to check it's properties at all?
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #9  
Old 06-13-12, 00:02
mommysews's Avatar
mommysews mommysews is offline
Private First Class
 
Join Date: Jan 2009
Location: the Great White North
Posts: 42
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: rootkit infection

Hello again Kestrel13!

I am so sorry that I have taken so long to respond. I just realized that majorgeeks.com emails me of an update to the thread at 12:02 each day - not actually when a post is made. I was curious as to why I always heard back from you at exactly 12:02 (midnight). I will watch the website directly from now on so that we may get this silly mess resolved more expediently.

Anyway ... I just located and deleted the file at:
C:\Windows\System32\drivers\secret.sys
I then ran Piriform's CleanUp (my favourite utility) and rebooted. Hopefully this was the correct way to remove it. When I checked the properties on the file, it appeared that it was created at the same time that I was downloading and extracting RootRepeal (that would not run). I do remember attempting a re-name of RootRepeal, so that is most likely what the file secret.sys was. There shouldn't have been anything else that loaded at that time.

I am not noticing that it has made any difference at all.
Were the other logs okay?
Weird.

Is there anything else that I should do?

Thanks again for your help and patience.

Last edited by mommysews; 06-13-12 at 00:03.. Reason: spelling the deleted file name correctly!
Reply With Quote
  #10  
Old 06-13-12, 11:27
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,680
Thanks: 952
Thanked 3,688 Times in 3,592 Posts
Default Re: rootkit infection

  • Scan with Malware Bytes again and attach the new log.
  • Perform a full system scan with avira and let me know of the results.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
Sponsored links
  #11  
Old 06-15-12, 10:46
mommysews's Avatar
mommysews mommysews is offline
Private First Class
 
Join Date: Jan 2009
Location: the Great White North
Posts: 42
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: rootkit infection

Hi again,

Oh shootI just did the scans and ran a quick Avira, not a full one. Okay, I will attach those logs and then run a full Avira scan - those seem to take forever (2 hours). I will post that as soon as it is done.

It seems that I only get the Firefox auto re-direct block when I try and come to or change pages within Majorgeeks. Weird.

Thanks again. |More later.
Attached Files
File Type: log AVSCAN-20120615-101204-6093FEE9.LOG (23.2 KB, 1 views)
File Type: txt mbam-log-2012-06-15 (11-22-17).txt (1.8 KB, 1 views)
Reply With Quote
  #12  
Old 06-15-12, 17:00
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,680
Thanks: 952
Thanked 3,688 Times in 3,592 Posts
Default Re: rootkit infection

Quote:
Now, upon reconnecting to the internet, I have had an attempted site redirect blocked by Firefox on each page I opened to get here. There may also have been an automatic opening of IE as well (although I may have inadvertently hit that myself). I shut down IE immediately.
Go to Firefox/Tools > Options > Advanced > General > Accessibility > "Warn me when web sites try to redirect or reload the page" <--- Uncheck this!
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
HELP!!!!! Did everything again MBR rootkit infection HELP hostileto Malware Removal 4 02-28-10 14:20
Possible rootkit infection astern Malware Removal 1 08-06-09 13:13
rootkit infection, am I ok now? rugrats14 Malware Removal 5 05-29-09 09:52
Possible rootkit infection? AverageJoe Malware Removal 28 07-03-08 17:22
Rootkit infection? BizR32 Malware Removal 20 01-21-07 21:31


All times are GMT -5. The time now is 11:53.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger