BleepingComputer.com: ComboFix Log/Possible Rootkit

Lately my bandwidth has been crud. Google says I have to type in a word every time I do a search because I have suspicious activity coming from my computer.

I have already ran MBAM and Super-Anti Spyware. (0 infections found)

Afterwards, I found that I had 25 or so mshta.exe processes, which was linked to a scheduled task which would trigger a start of mshta.exe every hour. I deleted the scheduled tasks. Mshta problem fixed, and my computer did speed up slightly.


I suspected a rootkit, and ran combofix.
Could someone please help me understand this log, to make sure I have fixed the issue?

EDIT: Update-- The day after running combofix(April 19th) I am still getting google's message requiring that I do a CAPTCHA to search. This may be from previously, however. Or maybe I got reinfected.

This post has been edited by Jemmeh: 19 April 2011 - 04:07 PM

It's been quite some time, so an update...:

I am still having issues with a lot of bandwidth being used. My internet connection is now even slower and much of the time pages won't load. Google is still giving me a message that suspicious activity is detected coming from my network so it makes me do the CAPTCHA before each search. (as if I have a bot auto searching, which I don't) because it says that the auto search thing is against their TOS.

My ISP is still claiming I'm getting a perfect signal, though. ):


Please help.

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

• Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.
  
  
  
• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  
  
  
• Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks

Hello m0le and thank you for answering, yes I am still here. I ran MBAM again as I do weekly, but still didn't find anything, that is the only thing I have ran.

The log is 12 days old so we need to see an updated log. Please uninstall the Combofix program (if you haven't already) and redownload from below:

Please download ComboFix from one of these locations:

• Bleepingcomputer
  
• ForoSpyware

Now please run the program as shown below.

• Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Comfix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Here is the combofix log you requested.

It looks like it maybe deleted this "Price Gong" thing that I thought it had deleted last time, but I could be reading the log incorrectly.

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case BitTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Also

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/clickz/news/1714488/viewpoint-plunge-into-adware

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.


On to the fix

Price Gong is adware and sometimes doesn't like to leave.

Please rerun Combofix with the script below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

Quote

Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

I used the Add/Remove programs to remove: BitTorrent, BitTorrent toolbar, Viewpoint Media Player.


I ran Combofix according to your instructions, here is that log:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

NB: If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

This could also be Clear Recent History or similar

Then close Firefox and then reopen it.


Now please run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.
  
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  
• On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
    
  • Then click on the Scan button.
  
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.
  
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

I ran both, MBAM found 0 infections.

Still having the same issues with pages not loading and having to type in the google CAPTCHA.

Someone recommended this:
http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

Which I will probably look over in the case that you do not recommend something else.


Thank you for the help so far. :D


Here is the MBAM Log:

This post has been edited by Jemmeh: 30 April 2011 - 11:33 PM

Jemmeh, I don't believe you have a TDSS infection but it is a fast-changing rootkit so let's run it

• Download TDSSKiller and save it to your Desktop.
  
  
  
• Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  
  
  
• Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
  
  "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt
  
  
  
• Now click Start Scan.
  
  
• If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  
  
• Click Close
  
  
• Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Take a look at this topic with regard the Google CAPTCHA problem. It doesn't look to be malware here.

I ran the TDSSkiller and it didn't pull anything up. I guess that's why it didn't make a log either, so I don't have that to post. S:

I also read over the page on the Google CAPTCHAs. I see what you mean, so it may just be on google's side in this case.

Thank you, m0le.

Quote

No, it should have made a log. Can you run it again please.

Alright, I updated it and ran it again, here is that log.

Please scan the machine with ESET

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the icon on your desktop.
  
  
• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Under scan settings, check and check Remove found threats
  
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology
  
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push

If no log is generated that means nothing was found. Please let me know if this happens.