Need help with a rootkit problem...

Thought it might help if I posted a post-mortem, since I seem to be one of the early adopters on this new type of infection...

I got infected most likely through a pop up on a web page, not sure which one, since it didn't take effect immediately. I've been having problems with my mouse double-tapping on clicks, and there was one instance I recall where I accidentally clicked on a pop up that was under another that I was closing...

Anyway, the original infection was through the rouge malware app "System Fix".
The first sign I had a problem was when the program I was running crashed, then my icons all disappeared from my desktop, and the "System Fix" started running, and I started getting (fake) messages about hard drive errors.

Having been infected with one of these type of rogue spyware removal scams before, I figured out that was what was happening this time.
Went to a second computer and searched for "System Fix Removal", and found a forum on bleepingcomputer at this link: http://www.bleepingcomputer.com/virus-removal/remove-system-fix
I went through this process, and everything worked, except I could not get TDSSKiller to run, no matter what I named it. Same thing for many of the tools to remove MBR viruses. ASWMBR, ComboFix, DDSKiller also would not run. I would get a brief hourglass, and then nothing would happen.

Also, Skype would not run, and iTunes would run, but would not recognize my iPod, or connect to the Store. There may have been other apps that wouldn't work, but I didn't try any. I also got redirects on the browser if I connected to the internet.

This was the point where I decided I needed an expert, and came over here as a result of a search.

You can follow the rest in the thread, but I'll sum up what ended up working...

I used GPARTED to remove the hidden partition the 'Master Virus' was hiding in, and make the main partition bootable.
Ran the Windows System Recovery CD, did bootrec /fixmbr, bootrec /fixboot, and ran the Startup Repair. This apparently got rid of the second virus.
Ran MBRCHECK (Clear)
Ran MBAM (Clear)
Ran ComboFix (Removed some directories and files that were left over from the first "System Fix" infection)

Those last few steps would probably have found more results, if I hadn't already run them before I came to Majorgeeks.

Anyway, things are back to normal now, and I didn't lose a single byte of data!

One for the good guys.

Multiple Thanks go out to Thisisu, my hero!:wave

 

Thanks for posting that information.

We still have some work to do.

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 22 (outdated)
• Java(TM) 6 Update 24 (outdated)

http://img839.imageshack.us/img839/3005/combofixicon.gif Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DirLook::[/COLOR]
C:\Users\User\AppData\Local\assembly
[COLOR="DarkRed"]Driver::[/COLOR]
KXLIQPOB
is3srv
szkg5
szkgfs
AVGIDSEH
[COLOR="DarkRed"]File::[/COLOR]
C:\ProgramData\b4FEKVtrCT82U4
C:\ProgramData\~b4FEKVtrCT82U4
C:\ProgramData\~b4FEKVtrCT82U4r
c:\windows\system32\DRIVERS\AVGIDSEH.Sys
C:\Users\User\Local Settings\TEMP\KXLIQPOB.SYS
C:\Users\User\Local Settings\TEMP\214748~1.DAT
C:\Users\User\Local Settings\TEMP\4E6F82~1.DSM
C:\Users\User\Local Settings\TEMP\AMT3.LOG
C:\Users\User\Local Settings\TEMP\CATCHME.DLL
C:\Users\User\Local Settings\TEMP\MBR.SYS
C:\Users\User\Local Settings\TEMP\NSI80A5.TMP
C:\Users\User\Local Settings\TEMP\TMP2434.TMP
C:\Users\User\Local Settings\TEMP\TMP28C5.TMP
C:\Users\User\Local Settings\TEMP\TMP4DB2.TMP
C:\Users\User\Local Settings\TEMP\TMP583F.TMP
C:\Users\User\Local Settings\TEMP\TMP7204.TMP
C:\Users\User\Local Settings\TEMP\TMP7619.TMP
C:\Users\User\Local Settings\TEMP\TMP8779.TMP
C:\Users\User\Local Settings\TEMP\TMP981C.TMP
C:\Users\User\Local Settings\TEMP\TMPB654.TMP
C:\Users\User\Local Settings\TEMP\TMPB74D.TMP
C:\Users\User\Local Settings\TEMP\TMPF3DF.TMP
C:\Users\User\Local Settings\TEMP\TMPF3DF.XML
C:\Users\User\Local Settings\TEMP\TMPF3E0.TMP
C:\Users\User\Local Settings\TEMP\VHCXHA~1.PAR
[COLOR="DarkRed"]Folder::[/COLOR]
C:\ProgramData\STOPzilla!
c:\windows\DEA314C409294250BC9298E4C105F28D.TMP
C:\Users\User\Local Settings\TEMP\DIV429C.TMP
C:\Users\User\Local Settings\TEMP\HSPERF~1
C:\Users\User\Local Settings\TEMP\MSDTAD~1
C:\Users\User\Local Settings\TEMP\NSI80A6.TMP
C:\Users\User\Local Settings\TEMP\TMPB14A.TMP
C:\Users\User\Local Settings\TEMP\{8BFA2~1
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Please put your PC back into Normal Startup Mode via MSconfig. >> Use MSconfig to setup for Normal Startup Mode

http://img833.imageshack.us/img833/2827/unhide.gif Please download Unhide by Grinler to your desktop.
Double-click unhide.exe to run it (Vista and Win7 right-click and select Run as administrator)


http://img51.imageshack.us/img51/6489/javaicon.gif Now install the current version of Sun Java from: Sun Java Runtime Environment

http://img822.imageshack.us/img822/6835/baticon.gif Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Note: This will automatically update all the logs inside MGlogs.zip

 

OK, here are the logs you requested.

I didn't do the Unhide, because I'd already run that as part of the removal of "System Fix".

 

Ok good All the icons/shortcuts are restored?

Any other malware problems? Your latest logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!