Can't remove Rootkit TnCore/Trace

after reading all relative threads i still cant remove Rootkit TnCore/Trace

SuperAntispyware detects it:

RootKit.TnCore/Trace
C:\Windows\system32\drivers\core.cache.dsk

I've gone through all the steps in the Vista cleaning guide (running Vista Home Premium)

Below is my log from Hijack This
Thank you in advance for any help

Logfile of Trend Micro HijackThis v2.0.2

 

We would like to run a custom diagnostic on your system (with MajorGeeks permission) to see if you have a new variant.

If this is ok with MajorGeeks, please submit a support request here:
http://www.superantispyware.com/support.html

We can then run our diagnostic and update the forum with our findings to help everyone.

Nick Skrepetos
SUPERAntiSpyware.com

 

sorry for the wrong format in my previous post, please see attached for the correct log files.

thanks again

thanks SuperAntispyware team, I added the support request per your instructions

since i can only upload three files, below are the contents of the superantispyware log file:

Application Version : 4.0.1154

Core Rules Database Version : 3438
Trace Rules Database Version: 1430

Scan type : Complete Scan
Total Scan Time : 00:43:22

Memory items scanned : 757
Memory threats detected : 0
Registry items scanned : 6407
Registry threats detected : 0
File items scanned : 23927
File threats detected : 2

RootKit.TnCore/Trace
C:\Windows\system32\drivers\core.cache.dsk

 

You have 2 hidden service keys:
HKLM\SYSTEM\CurrentControlSet\Services\vkquwexg
HKLM\SYSTEM\CurrentControlSet\Services\usbhubb

And a hidden driver:
usbhubb.sys

We updated our (SUPERAntiSpyware) definitions to remove these threats - the definitions will be public after 6pm PST (Pacific Standard Time) - so update your definitions at that time an perform a complete scan.

Nick Skrepetos
SUPERAntiSpyware.com

 

thanks for the ultrafast responses and solution. will wait until the definitions are out and let you know how this worked out!

indeed the one file you mentioned, usbhubb.sys , was detected somehow in the latest AVG 8.0 suite, but it could never disinfect it/delete it.

will update the thread after 6pm when i'll have the new definitions

I assume I can now manually remove the keys and file in safe mode?
Thanks so much

 

Can you get a hold of that file and send it to us at samples AT superantispyware.com ?

Nick Skrepetos
SUPERAntiSpyware.com

 

absolutely! the least i can do

 

We have updated our definitions to remove the latest Rootkit (TNCore) - make sure you have definition versions Core : 3439 and Trace : 1431 and then perform a COMPLETE scan and the threats should be removed.

If not, or there is a probem let me know!

Nick Skrepetos
SUPERAntiSpyware.com

 

I just started my Complete Scan with the latest definitions,

1000x thanks to the team of superAntispyware

will keep you posted

 

Did the scan clean up your system?

 

The internals of the files he had were different than the other versions of the "Core.sys" files we have analyzed. We have dozens of variants of this infection. In fact, today there were new versions in our FileResearchCenter.com and on a few "adult" harvesting sites - those are in our definitions now and were virtually undetected on VirusTotal and Jotti - so there are NEW variants of this threat appearing.....

 

Iindeed SuperAntispyware found the rootkit and USBHubB.sys related files but after reboot it didn't run to delete them. (the option to "start with windows" is checked. )

I'm trying now running the program from a different admin account in case something is wrong with the previous user. will update you when its finished.

Attached SuperAntispyware Log

 

so how could I do that and remove the files manually?

 

thank-you sir,
attaching requested logs.

 

thank you

after dragging the CFscript.txt over ComboFix.exe , and after accepting ComboFix disclaimer i got the big blue screen (windows memory dump etc)

it occured about halfway after the program "backing up registry to c:\windows\erdnt\Hiv-backup" finished
at that stage combofix said that it was scanning for infected files.

The blue screen said something like "a program/process crucial for the system operation has stopped working and windows shut down to prevent damage etc"

it happened twice.

any ideas?

by the way, usbhubb.sys , still there.
Thanks again.

 

Are you sure you rebooted after scanning with SUPERAntiSpyware? We detected that file, and our kernel system would have made the file unsuable so it won't load and would have been deleted on reboot.

 

absolutely Nick, i actually did the complete scanning twice with the latest definitions from my two different admin accounts

what i've noticed though is that i haven't seen superantispy doesnt load up before everything else at boot, (the way spybot does after a required reboot)

 

Are you sure our kernel drivers aren't disabled? Have you done an uinstall and re-install?

 

didnt try uninstalling/reinstalling. will do that right now. thanks for the continuous help.

 

Would you like to try our 4.1 pre-release version? If so PM me and I can send the link - it has better kernel drivers and such.

-Nick

 

tried superantispyware pre-release 4.1, after removing 4.0 completely -- again it detects usbhubb.sys, but it won't remove it after a reboot.
attached is the log
how can I tell if the kernel drivers are active? maybe something is interfering?

 

Forgive me if I missed it, but what other security applications are you running? Would you mind submitting another diagnostic?

 

please send me the link for the diagnostic
i have several security apps installed

update -- ok , results sent to diagnostic server

 

ok sounds good I respect that -- i've completed the online diagnostic so lets wait
chaslang, thanks again for your support.these forums rock.

 

I will touch base with our senior analyzer in the morning. Today was a hectic day with some exiciting new stuff from our development team

 

I took the liberty to try to remove this usbhubb.sys file manually.
booted from the latest ubuntu live-cd, deleted the file, booted into vista,
waiting for super-antispyware to finish a new complete scan with latest definitions

 

hmm after re-boot file is still there. somehow gets re-created. Lernea hydra.

 

Did you update SUPERAntiSpyware definitions and re-scan? Are you doing this from the Admin account? Also, are you running 32-bit or 64-bit Vista?

 

Hi nick
im now scanning with the latest definitions (using 4.1 pre)
waiting for the scan to finish..
running from admin account with uac off
32bit vista on a toshiba satellite laptop
by the way i managed to email the file (usbhubb.sys) to samples at superantispyware com

 

Looks like the naughty files are now gone. after booting into ubuntu and deleting both:
C:\Windows\System32\drivers\core.cache.dsk and
C:\Windows\System32\drivers\usbhubb.sys

I ran superantispyware v4.1 pre with latest definitions,
it found 12 registry entries pertaining to usbhubb.sys, and it rebooted the system so it could clean them out too

I dont have popups yet so it looks like the laptop is finally clean again.

any post-cleaning thoughts?
oh and again, many many thanks to everyone who helped, Nick, chaslang you guys rock.

 

happy to report that after another reboot all malware is now gone according to superantispy+latest definitions.