MBR Rootkit Detected

Hello and thank you first of all for these forums!

I noticed that my computer was acting odd and slow and ran SAS and it found a trojan. When I tried to reboot it froze at the "Windows is Shutting Down" screen so I had to hard boot it. I have ran all of the programs and tests except for Combofix as I was unable to uninstall Online Armour. When I tried it said "Access Denied..." I would think that Online Armour is hooked at this point. Something that I noticed before I knew I was infected was on my Ubee Modem D3.0 my DS light turned orange from green and my ethnet light began flashing (it used to be solid). Within a week of this I could not get online anymore.

After the Charter subcontracted tech came out and got me back online the DS and ethnet lights were still the same (orange, blinking). He said he was not sure why the DS was orange and why the ethnet was blinking. I Googled the DS light issue and found a post that said it was the modem bonding channels.

Anyways here are the logs requested... What a nightmare this is! I will only say thank you to anyone that can help...

PS. The only thing I have done before I noticed the problems is using a website called autohits.dk. It is a site that autosurfs for me to earn credits that goes towards my page being viewed by others. I am not saying for sure that this is where the malware came from but Malwarebytes blocks IPs constantly from this autosurfer (I got the paid version of MBAM after I noticed the problem and have since stopped using this site).

 

Hi Tim and thank you for helping me.

SAS detected it. It is in the log and it does show a path.

rrlog also shows the rootkit and path.

 

It is my external drive, WD 500GB Book Essentials I believe. It just powers when a file is accessed. I can tell just by the performance that something is on there. I can not safely shut the drive down now. I have to unplug it when the whole desktop is off. Even when I unplugged the drive, I still couldn't uninstall Online Armour and had very limited access to any of the files that RootRepeal found hooked from a scan yesterday. There was probably 20 NT files that were hooked. I'm not sure exactly how everything works but I would think that the trojan has spread after seeing the performance and reports of hooked files after I unplugged the drive and started up the computer.

Update: I did successfully safely remove hardware (G:/ drive), this was the first time I tried since I ran MG Tools.

 

Thanks Tim for looking over my logs. Why does RootRepeal show files that are still hooked? I will go through and clean up everything but something seems to still be wrong. I can now disable and delete Online Armour now anyways :-D

 

Hi Tim, well I found a few things out today. I installed Comodo Firewall and Antivirus and it found 8 infections!

First of all I have set everything at max protection and the scanner on high huer. sensitivity. 6 of those 8 were false positives.

6 found to be false -
combofix.exe - I had this on both my boot and external drives.
mbr.cfxxe
mbr.exe
mgtools - This was on both boot and external drive also

I had some of these on both drives just in case the file had to ran on the actual drive since I couldn't select the drive it scanned. :confused

Now the two that Comodo AntiVirus DID find

couponprinter.exe - I wasn't really sure if this was also a false positive or not so I quarantined it anyways. I Googled it and found mixed reviews. The one I went with was MBAM saying it had trojan buried. That with Comodo finding it... yea your gone!

sysimx.dll.exe - This is reported as a trojan/virus that allows remote users to get sensitive info and is rated a 5 I believe.



The crazy thing is I have ran ESET Online Scanner, Prevx 3.0 (this was the free version so it only detected problems and then corrected certain ones but this file was not detected), Microsoft Security Essentials, MBAM, SAS, Rootrepeal, TDDS Root Removal, Blacklight and Blacklight Online Scanner, MGTools (Which I'm not sure if this is supposed to find roots like that).

I gotta say that I am going to be running Comodo AV right along with MSSE from now on. I am floored that all of the other ones missed that!

Anyways, the reason I think something is still wrong is because I have a file that I am unable to remove from recycle bin. Sometimes when I right click on an item it takes over 10 seconds for the options for that file to show up. When I click on drives (C:/ or G:/ which is my external portable) it shows the flashlight searching for about 5-10 seconds too. Firefox takes over 10 seconds to start and then another 5 - 10 to load the page (yahoo.com).

Now this is not every single time but more times than not it does hang like that. I haven't defragmentted yet but I just did that shortly after I thought there were problems.

The folder that will not delete is f9e8f19e5fd9601e4a32, which was on my external drive. It was right in the root of the drive and I have no idea what it is/was and have no idea how it got there. There was 4 of them and I deleted them after I seen MBR Detected in RootRepeal from the first scan.

The odd thing is when I open my Recycle bin I do not see anything in there. It shows that it is empty but when I empty it, it says "Cannot remove folder...:Access is denied". I have checked the view options to make sure nothing that shouldn't be checked is not and vice versa.

I guess from here I will wait to here back from you if you have any suggestions and then defrag and memory dump and try to find a good optimize program. Maybe some settings have changed or something. I don't know but things still seem very slow compared to what they used to be.

 

Hi Tim,

I did run all 3 of those on the file. When FA tried to delete it, It said that it was removed successfully but it is still there every time. CCCleaner says 2 files cleaned but file(s) remain, Uninstaller says it is explorer.exe and can not delete or uninstall it.

I have quite a bit of music and pictures stored on that drive. Do you think it would be safe to just move all of that to my C:/ drive, reformat, and then move the files back?

Also do you think it would be better to run all of those scans again while those files are temporarily on my C:/ drive? If you don't mind me asking, what would be the best way to reformat that external portable drive?

Here is the logs you requested too.

Oh yea I did defrag too and still very slow with performance. I even disabled my MBAM protection module for now to see if things speed up a bit. I have used Win Utilities to correct errors with my Registry too. I have used that for probably 2 years at least now and never a problem so I keep using it. It did find a lot of errors (I would imagine from all of the uninstalling I have been doing) but my computer is still very slow for some reason.

 

Something else I thought you should know is that I now have System Volume Folder and Recycler folders on my external drive. I never had these on here before and maybe this is why my computer is slower then usual. My computer has to access that System Volume info all of the time???

 

Hey Tim, just wanted to give you an update. I reformatted the external drive. I opened it up and that System Volume Information folder is still there. I tried to run the File Assassin on it and it looks like it did take care of the file that was in there (Mountain Remote Desktop Support or something like that) and soon as I did that the Recycler folder is back (S-1-5-21-1644491937-1844823847-725345543-1003) with 2 files in it (desktop.ini and INFO2). I can delete desktop with FA but whenever I try with FA on INFO2 it deletes it but adds 2 or 3 files after (DG17.ini, DG18, DG19).

I never used to have System Volume on this external or Recycler, or at least I never seen them before. I'm at a loss of options here...

 

Hey Tim, I know it is ticked still to show hidden files. I will change that then. I didn't know or think that those two folders would be on the external... Shows how much I know... :-o

 

Alright Tim, Thank you so much for spending your time with me...

Thank you again! :wave

 

Hi Tim, It's me again :confused

You had said that my external didn't have a MBR Rootkit because it didn't have a MBR. I was still looking over things because still slow and my external drives green light is always on now (has been since the problem started), where it would only come on before when I accessed a file from it or added a file to it. Anyways I did find this info and was looking to see what you thought.

I attached a screenshot of what I was talking about.

I imagine you are tired of helping me but I am at my wits end man...

 

Hi Tim, Here is the log you requested.

 

Ok, Thanks again Tim for all of your help and patience! It is very much appreciated! :cool