Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help me remove these persistence rootkits


  • Please log in to reply
7 replies to this topic

#1 molosser

molosser

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 29 November 2015 - 05:25 AM

Hi,

 

I have a combination of free cocktails for my Windows 7 32 bit PC. Zonealarm active as firewall and antivirus, MBAM and CCE not active (only run when I needed). Recently my PC is getting slower and slower when shutting down, though this is not necessarily mean my computer is infected I did do a full scan nevertheless. Zonealarm come out clean, MBAM come out clean but CCE reported rootkits. My safety standard is to run CCE repeatedly until I'm sure that the PC is cleaned thoroughly but CCE continue to report these rootkits despite them being cleaned repeatedly. It work like this; CCE run, report and clean the rootkits, restart and I run CCE once again and it will report clean. I run CCE again for the third times and it report rootkits again. I've removed all FF addons and only instal uBlock Origin after I removed everything but the problem persist. I downloaded GMER and run it but it reported clean. Yet, after that when I run CCE again, the problem comeback. I'm totally at lost right now.

 

These rootkits are either:

 

Variations of below on some of the scans;

 

c:\users\user\appdata\local\mozilla\firefox\profiles\nlxtzh9u.default-1404251991490\cache2\entries\...40 characters...

 

(I retyped the above. The amount of these rootkits vary on almost every full scan. Sometimes only two, other times three, nine, twelve and even thirteen)

 

or

on some other scans;

 

C:\windows\system32\wdi\....\...\snapshot.etl

 

But these two types of rootkits are never detected on the same scan.

 

 

Please kindly help.

 

 

Edit: I also had donwloaded RKill and it also reported clean.


Edited by molosser, 29 November 2015 - 05:32 AM.


BC AdBot (Login to Remove)

 


#2 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:10:35 AM

Posted 29 November 2015 - 08:03 AM

Hello and welcome to BC,

 

CCE is Comodo Cleaning Essentials?

 

Can you post some log to see what was found?

------

 

Let's do some basic scanning and cleaning to see what is going on.

 

------

Kaspersky Virus Removal Tool

Please download Kaspersky Virus Removal Tool from here.

§  Right click on KVRT.exe and select Run as Administrator.

§  Read the EULA, then select Accept.

§  Wait for Kaspersky Virus Removal Tool to initialize.

§  In the main screen, select Change parameters, place a checkmark in System drive, then click OK.

§  Click Start scan.

§  Wait for Kaspersky Virus Removal Tool to complete scanning.

§  When the scan is finished, select Neutralize all for all detected objects.

§  Close Kaspersky Virus Removal Tool when done.

Informe me if something is detected.

------

 

Run MBAM again:

 

§  On the Dashboard, click the 'Update Now >>' link.

§  After the update completes, on Settings tab, set under Detection and Protection next options: 

1. 'Scan for rootkits'

2. Non-Malware Protection, for 'PUP detections', check, 'Threat detections as malware' option.

§  Return to Dashboard, click the Scan Now >> button.

§  A Threat Scan will begin.

§  When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

§  In most cases, a restart will be required.

§  Wait for the prompt to restart the computer to appear, than click on Yes.

§  After the restart once you are back at your desktop, open MBAM once more.

§  Click on the History tab > Application Logs.

§  Double click on the Scan Log which shows the Date and time of the scan just performed.

§  Click 'Export'.

§  Click 'Copy to Clipboard'

§  Paste the contents of the clipboard into your reply.

-----------

 

Please download AdwCleaner by Xplode onto your desktop.

§  Close all open programs and internet browsers.

§  Double click on adwcleaner.exe to run the tool.

§  In EULA window click I agree.

§  In Options uncheck Reset Winsock settings.

§  Click on Scan button.

§  When the scan has finished click on Cleaning button.

§  Your computer will be rebooted automatically. A text file will open after the restart.

§  Please post the contents of that logfile with your next reply.

§  You can find the logfile at C:\AdwCleaner[C1].txt as well.

---------

 

Please download Junkware Removal Tool  to your desktop.

§  Shut down your protection software now to avoid potential conflicts.

§  Run the tool by double-clicking it. If you are using Windows Vista, 7, 8 or 10; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

§  The tool will open and start scanning your system.

§  Please be patient as this can take a while to complete depending on your system's specifications.

§  On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

§  Post the contents of JRT.txt into your next message.

----------


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#3 molosser

molosser
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 30 November 2015 - 12:43 PM

Hi, I've done everything you asked yesterday but the problem persist.

 

Ran Karpersky, catch some viruses, cleaned.

Ran MBAM threat scan (I usually run full scan), catch some viruses, cleaned.

Ran Adw, catch some wares, cleaned.

Ran Junk, catch some wares, cleaned.

Ran CCE and bam! the rootkits showed up again.

I was so frustrated yesterday that I just left the PC hanging.

 

---

 

Today I follow your steps one by one once again and here's the result:

 

Karsperky, clean.

MBAM, clean.

Adw, clean.

Junk, clean.

CCE, 16 rootkits!

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/30/2015
Scan Time: 9:40 PM
Logfile: 
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.11.30.02
Rootkit Database: v2015.11.26.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: User

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 319652
Time Elapsed: 17 min, 55 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)
# AdwCleaner v5.023 - Logfile created 30/11/2015 at 22:40:33
# Updated 30/11/2015 by Xplode
# Database : 2015-11-30.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x86)
# Username : User - USER-PC
# Running from : C:\Users\User\Desktop\adwcleaner_5.023.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLL ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [585 bytes] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows 7 Home Premium x86 
Ran by User (Administrator) on 11/30/2015 Mon at 22:45:35.70
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0 




Registry: 0 





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 11/30/2015 Mon at 22:47:11.69
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

====== System Information ======

Computer Name:	USER-PC

Log on User:	User

Memory Size:	2.99 GB.

Windows Directory:	C:\Windows

Windows Version:	7 (32bit)

CCE Version:	2.5.242177.201



Virus database version: 23685



[22:55:06] Scan started.

====== Cleanup results ======

C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\nlxtzh9u.default-1404251991490\cache2\entries\8F44CF58BC39B27258C78AAAC7B94B40170025DE	Rootkit.HiddenFile	HIDDENFILE	Clean	OK

C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\nlxtzh9u.default-1404251991490\cache2\entries\9F13FA9E48DAF9428813AF11A4B83D5E4F3DC846	Rootkit.HiddenFile	HIDDENFILE	Clean	OK

C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\nlxtzh9u.default-1404251991490\cache2\entries\ABCBE92A849407CD24BF3A44A98FBC6BFF863421	Rootkit.HiddenFile	HIDDENFILE	Clean	OK

C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\nlxtzh9u.default-1404251991490\cache2\entries\BD0B953783B846B3FE74EE9B7685713DC82BF3A6	Rootkit.HiddenFile	HIDDENFILE	Clean	OK

C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\nlxtzh9u.default-1404251991490\cache2\entries\BF2FD9E9627D62D7F5A3A738C90962997FC14D6B	Rootkit.HiddenFile	HIDDENFILE	Clean	OK

C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\nlxtzh9u.default-1404251991490\cache2\entries\C639F0CD3F648A3320712125535629552EF0440F	Rootkit.HiddenFile	HIDDENFILE	Clean	OK

C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\nlxtzh9u.default-1404251991490\cache2\entries\C8DE948D92143B92EA7A7AC82BD4233E7D7A6885	Rootkit.HiddenFile	HIDDENFILE	Clean	OK

C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\nlxtzh9u.default-1404251991490\cache2\entries\CE6F07BF64B84B7E49754737C4C46A066F7FF9A9	Rootkit.HiddenFile	HIDDENFILE	Clean	OK

C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\nlxtzh9u.default-1404251991490\cache2\entries\D10E81B67BB0F952E60F6BF98C662FBB0E0A9E9F	Rootkit.HiddenFile	HIDDENFILE	Clean	OK

C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\nlxtzh9u.default-1404251991490\cache2\entries\D5FB571EF85D2735FA9EFAF570C497480894D9D6	Rootkit.HiddenFile	HIDDENFILE	Clean	OK

C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\nlxtzh9u.default-1404251991490\cache2\entries\D6281ED4D38A9CD09905BE5021B4EFD2598431C8	Rootkit.HiddenFile	HIDDENFILE	Clean	OK

C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\nlxtzh9u.default-1404251991490\cache2\entries\D6C788D323F0F7EDA97F33752A441A60A4299EA8	Rootkit.HiddenFile	HIDDENFILE	Clean	OK

C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\nlxtzh9u.default-1404251991490\cache2\entries\DF23938D4342A6AC15D23D04FD75F232C006FCF1	Rootkit.HiddenFile	HIDDENFILE	Clean	OK

C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\nlxtzh9u.default-1404251991490\cache2\entries\E66D1E377D824CA862E51E6E329981EEA17CC6E6	Rootkit.HiddenFile	HIDDENFILE	Clean	OK

C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\nlxtzh9u.default-1404251991490\cache2\entries\ECE70EAF311165FA095B99E761F601ACE9C15D1B	Rootkit.HiddenFile	HIDDENFILE	Clean	OK

C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\nlxtzh9u.default-1404251991490\cache2\entries\FDA6FC88BAC3DF19FC327745E4836BCECBFA8E56	Rootkit.HiddenFile	HIDDENFILE	Clean	OK



Edited by molosser, 30 November 2015 - 12:47 PM.


#4 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:10:35 AM

Posted 30 November 2015 - 01:18 PM

Hi, 

 

You should clear the Firefox cache:

 

https://support.mozilla.org/en-US/kb/how-clear-firefox-cache

 

if that doesn't help:

 

Reset your Firefox browser settings to default:

§  How to Reset Your Web Browser to its default settings in Google Chrome, Firefox, Internet Explorer

--------

 

Let me know about the status of your problem when you do this. 


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#5 molosser

molosser
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 01 December 2015 - 09:53 PM

Hi,

 

Problem seems to be solved after I reset FF to default.

 

KVRT, clean.

MBAM, clean.

ADWC, clean.

JRT, clean.

 

CCE, at least five consecutive times, all clean.

 

Moral of the story, never use free add ons that are not open source.

 

 

Thanks very much for the help and best regards.


Edited by molosser, 01 December 2015 - 09:54 PM.


#6 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:10:35 AM

Posted 02 December 2015 - 01:44 AM

Great.

--------

 

This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download  DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

§  Activate UAC (optional; some users prefer to keep it off)

§  Remove disinfection tools

§  Create registry backup

§  Purge System Restore

Now click "Run" and wait patiently.
Once finished, a logfile will be created. You don't have to attach it to your next reply.


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#7 molosser

molosser
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 02 December 2015 - 11:26 PM

At the end of the operation, when a log file was created, DelFix triggered Zonealarm malware alert.

But rescanning using Zonealarm shows nothing i.e clean.

I suppose that was a false positive.

 

Anyway, thanks again for the help.

 

Regards.


Edited by molosser, 02 December 2015 - 11:27 PM.


#8 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:10:35 AM

Posted 03 December 2015 - 12:58 AM

DelFix was removing tools and quarantine folders. Maybe that triggered detection.


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users