Solved Possible rootkit infection?

[gabe22]

Also I just ran scan with Process Explorer .. http://www.sevenforums.com/tutorial...er-virustotal-check-all-processes-50-avs.html and it found only one ... SuperAnti Spyware ... 1/57 .. https://www.virustotal.com/en/file/...f3b2377cd889c9d473a47a7056be597bc6b/analysis/

Also tried UKV Adrware killer, it detected the following:

Also I just ran GMER again and strange thing is .. last time it found something (referring to my first post screenshot) but now it doesn't detect anything.

Oh and I just created a UKV scan log using Callender's suggestion on page 1

 

[gabe22]

On another none, avast is detecting couple of new files:

C:\Users\Public\Favouries\Favourites.bat [Infection= Win32:RmnDrp]
C:\Users\Public\Libraries\Libraries.pif [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\Pictures.exe [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\NVIDIA Corporation\Corporation.bat [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\NVIDIA Corporation\3D Vision Experience\Vision Experience.exe [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\NVIDIA Corporation\3D Vision Experience\3D Vision Preview Pack 1\3D Vision Preview Pack 1.bat [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\Recorded TV\Recorded TV.exe [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\Recorded TV\Temp Rec\Temp Rec.exe [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\Recorded TV\Temp Rec\TemSBE.bat [Infection= Win32:RmnDrp]
C:\Users\Public\Pictures\Recorded TV\Temp Rec\Sample Media\Media.bat [Infection= Win32:RmnDrp]


And previous detections:

C:\user\public\documents\DELL.exe [Infection= Win32:KillAV-AJZ[TRJ]
C:\user\public\documents\documents.exe [Infection= Win32:RmnDrp]
C:\user\public\documents\downloads\downloads.exe [Infection= Win32:KillAV-AJZ[TRJ]
C:\users\public\public.exe [Infection= Win32:KillAV-AJZ[TRJ]
C:\users\public\documents\dell\musicstage\MusicStage.scr [Infection= Win32:RmnDrp]
C:\users\public\Music\Music.scr [Infection= Win32:GenMalicious-BJV[Trj]

 

[Borg 386]

I would stay away from d/l ing anything from this client if possible. You've mentioned it before, when you get something from there, the infection apparently shows up.

It's possible something was included in the d/l that you were unaware of. Another possibility is that you are going to sites that have drive-by malware. This would be a hidden macro command embedded in the page set to automatically d/l the malware in the background & you would be unaware of it happening. Right now you need to find out the source of the re-occurring infection.

Follow the steps you did before to remove it. Run RKILL, & then Malwarebytes, AdwCleaner & TDSSKiller.

You may want to consider Sandboxie if you have to deal with this client on a regular basis & if indeed the infection is coming from there.

Callender is more familiar with the software he suggested, so it would be better to let him answer anything concerning that.

 

[gabe22]

I totally agree with you but I think .. I mean I think, not sure that is .... its probably not the sites that I visit based on the fact that I visit the usual sites ... and well this pretty much never happened before (rookt kit or whatever it is) and also first time this happened the same day I Downloaded zip pack from this client and again same thing happend when I downloaded another zip from this client .. only difference is first time I actually extracted the zip and this time I didn't ...

However I'll monitor the sites and see if this happens again.

What I'm wondering is .. if this is infact the clients zip pack is the rootkit carrier then after extraction of the zip causing issues is pretty much normal but how would it infect my system again when I only downloaded but didn't extract the zip pack ... can it auto activate from within zip? (just wondering)

 

[Borg 386]

You might be d/l ing more then just the zip file (stealth download). It could be coming along silently & you wouldn't know it.

Supposedly you can't get anything from a zip file unless you extract it (I say supposedly due to the fact that there are people out there looking for new ways to infect PC's constantly, so it wouldn't surprise me). Also, someone could possibly make it look like a zip file & it could in fact be a self executing program file.

Most AV's nowadays can scan a zip file before you extract it & let you know if there is anything malicious contained within.

Another alternative is that you never got rid of it all the way in the first place, but since this happened in the same way as the first time, I would tend to think there's a connection there.

 

[Callender]

Java Exploit?

Looks like a Java exploit to me (drive by download maybe?).

As for UAK results:

You can ignore HotspotShield, Wininit.ini but delete the rest.

Post UVK scan log once more.

Also if the zip file you downloaded is publically available post a link to the page where you downloaded it from or PM me the link if you don't wish to post it.

And if you like you can upload the zip file here:

https://hightailspaces.com/

Then PM me with the download link.

 

[Callender]

Also try running those scripts (fix lists) again as it seems that the same entries have re-appeared.

 

[Callender]

Re: Additional protection against executables that attempt to run (especially from Temp directories) - there's little point in installing anything like that unless your system is clean. Those solutions work by whitelisting everything that's already on your machine and then check anything else that gets added in future - so they'd whitelist any problem files.

 

[gabe22]

the zip pack urls: [REMOVED URL LINKS]

About UKV adware remover, should I remove registry/chore/firefox etc detections too or file objects only?

 

[derekimo]

Are you sure that's what you want to upload?

Those look like a bunch of misc. pictures and files from your computer.

Like pictures of boats and cars, etc.

Use this method when uploading files,

http://www.sevenforums.com/tutorials/9733-screenshots-files-upload-post-seven-forums.html

I removed the URL links with the questionable names.

 

[gabe22]

@ derekimo Sorry I wasn't aware of the method .. I had those on server so I just uploaded direct url(as ziped by the client who created them) and yes those are somewhat junks etc .. but that zip pack is sent by my client .. which I think is possibly a rootkit host/carrier. becaues two times I downloaded zip from the same client and .. we'll 2 times my AV's gone berserk crazy .. they keep detecting this/that every 2min and on full system scan .. avast/malewarebytes/rkill/tdskiller/superanti spyware etc finds nothing .. but the sadly detections continue and regreatfully but I still have to continue working with this client ..

Also something interesting ... I deleted the zip pack after few hours of reopening this thread and I have been monitoring since then ... so far I haven't noticed any avast detections (although I wasn't sitting behind the pc all this time but still .. no detections on 4/5hours that I was on) ... and still monitoring ...
However I'm not an expert but based on these facts I'm quite convinced its the zip thats the culprit. Also I totally agree with what Borg 386 said

"I say supposedly due to the fact that there are people out there looking for new ways to infect PC's constantly, so it wouldn't surprise me). Also, someone could possibly make it look like a zip file & it could in fact be a self executing program file. "

@ Callender I ran both scrips again and they removed some files/registry etc .. after reboot scanned and log attached.

 

[derekimo]

No problem, the URL's just had a spammy name and it's preferred to upload using the method I posted.

What was the reason for attaching those zip files?

 

[gabe22]

Callender requested the files ..

 

[derekimo]

OK, I was just wondering if it was requested or not, I'll leave you in their hands now.

 

[Borg 386]

I don't know which browser you are using, but if you are running Firefox, you can get an add-on called no script which effectively blocks most drive by downloads from websites. Also, r click on the zip file & bring up the properties & see if it's named something like file.zip.exe. Or perhaps just going to the clients website is what triggers the d/l of malware via hidden macro command as stated above (drive by malware).

 

[Callender]

UAK Results

the zip pack urls: [REMOVED URL LINKS]

About UKV adware remover, should I remove registry/chore/firefox etc detections too or file objects only?

Well actually don't use Ultra Adware Killer to remove anything just yet. I was tired when I posted and have noticed that it also wants to remove Hotspot Shield drivers. Don't panic if you already used it to remove the files. It just means that you'd need to fully remove Hotspot Shield then reinstall it.

I will be busy until I've finished work but will look at this thread again later.

In the meantime will you just post the UAK logs as it's easier to digest than looking at screenshots?

You will find them here:

C:\ProgramData\UVK\Ultra Adware Killer

File name will be something like uakscan(number).txt

As for removed URL's you could just PM them so that I could see if there's any problem.

 

[Callender]

Zip files are okay. No problem and nothing attempts to run. Maybe a problem with the download URL's?

 

[gabe22]

@Callender

Could be but I'm no expert .. as I have mentioned so far I'm just deducting that based on simple facts but no actual proof that the files are causing the issue or in other words file file d/l + pc infection took place about the same time so ... I was pointing my figures at the zip, you guys are the experts, you know better ..... well here is the scan logs that you requested

 

[Borg 386]

Key: @SYSTEM\Software\AskPartnerNetwork

Pretty sure that's the Ask toolbar.

Ask Toolbar Removal, How To Uninstall - gHacks Tech News

Folder: C:\Program Files (x86)\Mozilla Firefox\browser\Extensions\[email protected]

Item state: Checked

AnchorFree malware changes internet browser settings including the homepage (start up page) and default search engine, as well as modifies registry entries in order to cause popular internet browsers such as Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer to redirect to search.anchorfree.net, search.anchorfree.com, anchorfree.us, ask.com, search.conduit.com, and other websites especially associated with their browser hijacker identified as Hotspot Shield Toolbar. AnchorFree also causes internet browsers to target unwanted search engines upon start-up.

How to remove AnchorFree malware - Search Anchorfree redirect virus removal | Malware Removal - Software & Tutorials

I think it would be a good idea to run RKill to attempt to stop the processes & then run the tools Callender & I suggested.

 

[Callender]

Okay so your UAK scan results seem to show that you installed Utorrent but also installed Conduit Toolbar along with it.

Here's the stuff that's safe to remove:

View attachment uakScan.txt

Re: Hotspot Shield. I know it's popular but unless you really need it I'd suggest removing it. Possibly take a look at Spotflux if you need a VPN.