Possible rootkit infection?

gabe22 · 01 Mar 2015

Hi

My system was detecting some strange virus etc yesterday for a brief period of time ... but fortunately avast free version(latest update) .. detected and quarintined all of them. Most their paths were like:

C:\user\public\documents\DELL.exe
C:\user\public\documents\documents.exe
C:\user\public\documents\downloads\downloads.exe

Then I scaned with avast+malewarebytes+supertin ... and all results nothing found.
After google'ing a bit .. I found this article that suggested it could be a possible rootkit infection, so I downloaded .. GMER and with its quick scan it found the following(screenshot attached)

Although it stopped after a while ... I mean the avast detection but GMER still detects something (I'm quite clueless here though) .. however I would like to know if the thing virus or rootkit is still there within my system .. because from what I recall .. i just scanned with the above mentioned security tools and they found nothing ang GMER found something .. that I cant delete (delete button deactive) but perhaps its because the file it detects is part of the OS .. I'm wondering if I didn't delete the file then .. how did it stop and just to be on the safe side .. is there anyway to know if its still within my system.

Finally if anyone knows any security tools that can prevent rootkits or whatever(I'm pretty much guessing here) from entering the system .. would save me from lots of trouble.

Thanks in advance!

Borg 386 · 01 Mar 2015

There are several rootkit scanners you can use. TDSSKiller is the one normally recommended. The link below will give you 4 additional scanners you can use with results that are easier to decode.

Five free portable rootkit removers - TechRepublic

GMER is another top pick that can easily outperform all other tools in its class. The one caveat to this software is that it does require a bit of knowledge to interpret the results. This tool isn't one you simply click and disinfect. You let the tool scan, you pour through the results, and you decide what should be repaired/removed.

gabe22 · 01 Mar 2015

thank you but the avast is detecting threats again .. the detections are about the same as yesterday ... would scanning with TDSSKiller help with finding and possibly removing the actual virus/rootkit thats trying to infect other files?

new detection:

C:\users\public\public.exe
C:\users\public\documents\dell\musicstage\MusicStage.scr

any idea on how to resolve this issue?

Borg 386 · 01 Mar 2015

Yes, d/l & run TDSSKiller.

Note: When running TDSSKiller, launch the program, click on the blue text "Change Parameters" & check the box marked "Detect TDLFS File system." Click OK & then run the scan.

I see someone is having a similar problem here:

C:\Users\Public Folders keeps getting .exe files - Am I infected? What do I do?

Callender · 01 Mar 2015

Well if you like you could run a scan with UVK. It will create a log and it might be possible to figure out what's going on.

UVK - Ultra Virus Killer

If you download and install UVK - once installed right click the desktop icon and choose "Run as admin"

On the welcome screen choose "Scan & Create Log" and use the following settings.

Choose to save the log to your desktop and then upload it here. It will take a few minutes to scan.

gabe22 · 01 Mar 2015

I just ran scan with TDSSKiller and in normal search it found nothing .. so I changed its parameters to "Loaded Modules" and after restart it found couple of items in next scan with all options selected.

I've attached screenshot with suspicious detections(as I couldn't identify them) tabs enlarged ... any ideas?

Also attached the VK scan log

Callender · 01 Mar 2015

Re: TDSS Killer. I wouln't worry about those results. It shows files that are hidden from Windows but that doesn't mean that they're dodgy. Will llok at your uploaded log.

Callender · 01 Mar 2015

Okay so try this:

Download and save this file to your desktop:

UVK Fix List.txt

Once you've downloaded it - right click the file and rename it to UVK Fix List.uvk

In other words replace .txt with .uvk in the file name.

Run UVK (run as admin) and on the Welcome Screen choose "Run Scripts"

Then choose "Import Commands From File"

Browse to the UVK Fix List.uvk file on your desktop and import it.

Choose "Run / Fix Listed"

When complete - reboot.

Edit: See my post below for another folder that needs removal.

Callender · 01 Mar 2015

More action required:

Looked at your log in more detail and see the following suspicious entry:

ContentsCommonAppData> | 34BE82C4-E596-4e99-A191-52C6199EBF69

Would you also run the following fix like you did before?

UVK - Fix List 2.txt

gabe22 · 02 Mar 2015

Ran both scripts ... and the UVK removed some files etc ..

Whats the next step? I mean is there anyway to figureout if the issue(virus/rootkit) is actually gone?

Possible rootkit infection?

Possible rootkit infection?

Suggestion

Suggested fix