Possible rootkit?

physics223 · Apr 15, 2013

I think there's a trojan or rootkit in my sister's laptop, because even though we scanned persistently with MalwareBytes the problems always recur when I restart her computer. While it doesn't really bother or mess with anything she has, her homepage reverts to a weird Spanish or Mexican site no matter how I try to fix it with HijackThis.

I'm stumped. I would be grateful for the help you could offer me, guys. Thanks! This is her Hijackthis log. I have WinPatrol and MalwareBytes installed.

Logfile of Trend Micro HijackThis v2.0.4

TimW · Apr 15, 2013

If you want us to check your system for malware, please do the following:

READ & RUN ME FIRST. Malware Removal Guide

physics223 · Apr 18, 2013

I'm not sure when this problem of my sister's really started: all I know is that no matter how I try to re-direct my webpage it always starts with noticiasalpunto.com. There are also some files that start with c and has eight letters trying to boot every time I start my computer. WinPatrol couldn't control it, and even persistent scanning with MalwareBytes still has them recur. I feel that my Internet's slowing because of these files, but I'm not really sure how to resolve these. Thank you, and sorry for the previous upload of the HJT log.

Attached are the necessary logs. I tried to follow your step-by-step procedure as best as I can. Thank you!

TimW · Apr 19, 2013

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

[RUN][ROGUE ST] HKLM\[...]\Policies\Explorer\Run : 55143 (C:\ProgramData\Local Settings\Temp\ccifkuio.scr) -> FOUND
[RUN][ROGUE ST] HKLM\[...]\Wow6432Node\Policies\Explorer\Run : 55143 (C:\ProgramData\Local Settings\Temp\ccifkuio.scr) -> FOUND
[SHELL][SUSP PATH] HKCU\[...]\Windows : Load (C:\Users\Marian\Local Settings\Temp\ccfkoc.cmd) [x] -> FOUND
[SHELL][SUSP PATH] HKUS\S-1-5-21-792902639-1200515897-1794210447-1001[...]\Windows : Load (C:\Users\Marian\Local Settings\Temp\ccfkoc.cmd) [x] -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Do not reboot your computer yet.

Now run Hitman and have it fix everything it found.

Reboot and rescan with both RogueKiller and Hitman and attach those new logs as well.

physics223 · Apr 19, 2013

Thanks for the reply. When I ran RogueKiller once more, there were no more traces of those registry keys that you listed to remove in your previous post, sir.

Before I started to follow the instructions on this website, there was a persistent message that requested start-up from WinPatrol and they were those *.cmd and *.scr files so I just disabled them from starting and then removed those files on reboot with WinPatrol. I think that explains the new values shown on RogueKiller since I was sure that they were most definitely harmful files. I'm sorry for the preemptive actions.

Hitman no longer saw any malicious files after I cleaned them all after the reboot, but RogueKiller still saw the same registry keys after I rebooted. I still have a problem with browser hijacking in that noticiasalpunto.com loads itself as my homepage but don't have any more persistent programs wanting to run in the background. Thank you.

Attached are the logs you have requested.

TimW · Apr 20, 2013

What browser is affected?

physics223 · Apr 20, 2013

Mozilla Firefox. Should I try to just re-direct the browser to my preferred site through the options? Thank you!

TimW · Apr 21, 2013

Try doing the following:
Reset Firefox to Defaults

physics223 · Apr 24, 2013

That did the trick. Thank you, sir!

TimW · Apr 24, 2013

You are most welcome. Safe surfing.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.

Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
related to MGtools and some other items from our cleaning procedures.

After doing the above, you should work thru the below link

How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

Log in or Sign up

Possible rootkit?

physics223 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

physics223 Private E-2

Attached Files:

HitmanPro_20130419_1107.log

TDSSKiller.2.8.16.0_19.04.2013_10.32.37_log.txt

RKreport[1]_S_04192013_02d1014.txt

MGlogs.zip

mbam-log-2013-04-19 (10-15-25).txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

physics223 Private E-2

Attached Files:

HitmanPro_20130420_0927.log

HitmanPro_20130420_0943.log

RKreport[2]_S_04202013_02d0911.txt

RKreport[3]_S_04202013_02d0935.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

physics223 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

physics223 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member