BleepingComputer.com: Bowser Redirect Malware/Virus (Rootkit?)

Chatt:

Try running this again - be careful, the instructions are different this time:

Please download Junction.zip and save it to your desktop.

• Unzip it and put junction.exe in the Windows directory (C:\Windows).
  
• Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:
  
  

  cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  
  
• A command window will open and the system will be scanned.
  
• Wait until a log file opens.
  
• Copy and paste or attach the content of it in your next reply

This post has been edited by RPMcMurphy: 21 August 2011 - 09:42 PM

I tried it, but it didn't seem to work. When I entered the run command, a window flashed up for a fraction of a second and then disappeared. I waited 5 minutes or so, but nothing happened.

Chatt:

Please download GrantPerms.zip and save it to your desktop.

• Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
  
• Copy and paste the following in the edit box:
  
  

  C:\Users\Owner\Desktop\gmer.exe
  C:\Users\Owner\Desktop\aswmbr.exe
  C:\Users\Owner\Desktop\tdsskiller.exe

  
  
• Click Unlock. When it is done click "OK".
  
• Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

Please include the following in your next post:

• grantperms log

GrantPerms by Farbar
Ran by Owner at 2011-08-22 22:35:54

===============================================
\\?\C:\Users\Owner\Desktop\gmer.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
S-1-5-32-547 READ ALLOW (NI)
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\C:\Users\Owner\Desktop\aswmbr.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
S-1-5-32-547 READ ALLOW (NI)
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\C:\Users\Owner\Desktop\tdsskiller.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
S-1-5-32-547 READ ALLOW (NI)
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

Try removing those files from your desktop now.

It worked for everything except rkunhooker. Do I need to do the same grantperms operation for rkunhooker too?

Yes, just look up the full file path and enter it into GrantPerms like you did the others. You can hang on to GrantPerms and repeat that operation for any other app you find not working as well.

Uninstall ComboFix

• Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
  Combofix /Uninstall

Is there anything else we have not addressed?

I think that does it. Stubborn files are gone, and the machine is running well. Thank you so much for your help.

You're welcome, chatt. Take care.

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.