Avast Found Rootkit Scanner Again and Got Nothing

1. Intermediate reckoner user and know how to follow instructions.
   This is my mother in laws figurer, so not sure when anything started. she simply said it was slow. The net explorer icon was changed so clicking it created a shortcut on the desktop instead of opening information technology. Clicking MS Word would open Excel.
   I had AVAST on it a couple months back, simply when I got it once more, it was gone. deleted somehow. When I reloaded and did a kick browse, AVAST found and removed a win32 rootkit.gen rootkit. At present nonetheless, AVAST will not do a boot scan fifty-fifty though it is scheduled to do one.
   I did the READ ME Offset and followed the steps.
   Malwarebytes found several files. So did SAS (sidestep). The Root Repeal crashed when I tried to salvage a txt file. The reporting of the crash to Microsoft contained the following:
   C:\DOCUME~1\MICHAE~one\LOCALS~1\Temp\WERd5f5.dir00\TZNPW.exe.mdmp
   C:\DOCUME~1\MICHAE~1\LOCALS~ane\Temp\WERd5f5.dir00\appcompat.txt
   When I tried to run again, I got a pagefile error and not enough retentiveness error, grinding the organization to a halt. mgeeks eventually ran and logs attached.
   Think I may have win32/TrojanDownloader.AGent.HFIHOOI Trojan

   Attached Files:

2. mbam log fastened

   Attached Files:
3. 

   Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

   If you did not deliberately prepare this proxy yourself then please include it in the HJT fix beneath:Please disable all anti-virus and anti-spyware programs while nosotros do the following (re-enable when yous are finished):

   Run C:\MGtools\analyse.exe by double clicking on it (Annotation: if using Vista, don't double click, use right click and select Run Every bit Ambassador). This is really HijackThis (select Do a system scan just) and select the following lines only Practise NOT CLICK Set up until you go out all browser sessions including the ane you lot are reading in right now:

   After clicking Prepare exit HJT.

   At present we need to apply ComboFix

   • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop simply Do non run it!
     • If it is not on your Desktop, the below will not work.
   • Also make sure you have shut downwards all protection software (antivirus, antispyware...etc) or they may make it the manner of assuasive ComboFix to run properly.
   • If ComboFix tells you lot it needs to update to a new version, make sure you permit it to update.
   • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

   KILLALL::  DirLook:: c:\windows\system32\drivers Folder:: c:\documents and settings\All Users\Application Information\Symantec c:\program files\Common Files\Symantec Shared c:\documents and settings\Michael Alpert\Application Data\Symantec Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] [-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D70E6A20-7060-4829-B3D7-B6624A1DE7C6}]                        

   • Relieve the above as CFscript.txt and make sure you save it to the aforementioned location (should exist on your Desktop) as ComboFix.exe
   • At this point, you MUST Get out ALL BROWSERS At present before continuing!
   • You should take both the ComboFix.exe and CFScript.txt icons on your Desktop.
   • At present use your mouse to drag CFscript.txt on top of ComboFix.exe

     

   • Follow the prompts.
   • When it finishes, a log will be produced named c:\combofix.txt
   • I will ask for this log below

   
   Note:

   Exercise not mouseclick combofix's window while information technology is running. That may crusade it to stall.

   Also delete all files in the below bold folder except ones from the current engagement (Windows will non let you lot delete the files from the current day).

   At present run the C:\MGtools\GetLogs.bat file by double clicking on information technology. And so adhere the new C:\MGlogs.zip file that will be created by running this.

   What is this? C:\Player.exe

4. C:\MGtools\analyse.exe was non present. downloaded hijackThis.msi from MG and ran.

   Deleted this, because not intentionally created: R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.one

   Was not able to disable all anti-virus - avast shields turned off, but the scanner AvastSvc.exe and AvastUI.exe kept running and I was not able to force closed.

   created and dragged CFscript.txt on top of ComboFix.exe afterwards browsers closed. When ComboFix finished, it rebooted figurer and a dos programme ran after reboot - recall this was ComboFix, but not sure.

   C:\MGtools\GetLogs.bat did not exist. Ran c:/mgtools.exe and attached the new C:\MGlogs.zilch file.

   What is this? C:\Thespian.exe This was a screen saver program. It did non announced to be installed. I secure NSA 7 pass deleted the file with CCleaner.

   FYI, I discover that on startup, there is a windows installer pop-upwardly with no indication of what is trying to install and only a cancel button. It comes upwardly ix or 10 times regardless if I button cancel or Alt-F4 or do nothing. Did not watch to come across if this was continuing after doing the to a higher place.

   Fastened Files:
5. 

   Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

   Behave with me, I volition be back with a response ASAP. Currently requesting advice from colleague(s) thanks for your patience.

6. I Then appreciate your help. I expect forward to your further direction.
   Thanks!

7. 

   Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

   Y'all're very welcome. And I appreciate your patience whilst nosotros wait a while.

8. 

   Kestrel13! Super Malware Fighter - Major Dilemma Staff Fellow member

   Okay, What I am going to do is have you run a fix, just it will not be done the style it was earlier hand. I will attach a fix for you which you can download and use. (At the bottom of this postal service, do the CF step kickoff then the getlogs.bat)

   Now nosotros need to use ComboFix

   • Brand certain that combofix.exe that yous downloaded while doing the READ & RUN ME is on your Desktop simply Do not run it!
     • If it is not on your Desktop, the below will not piece of work.
   • Besides brand sure yous have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
   • If ComboFix tells you information technology needs to update to a new version, make certain you let it to update.
   • make sure you save CFScript.txt to your desktop.
   • At this bespeak, yous MUST EXIT ALL BROWSERS Now before continuing!
   • Yous should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
   • At present employ your mouse to drag CFscript.txt on top of ComboFix.exe

     

   • Follow the prompts.
   • When information technology finishes, a log will exist produced named c:\combofix.txt
   • I will ask for this log below

   
   Note:

   Do not mouseclick combofix's window while it is running. That may cause it to stall.

   Now run the C:\MGtools\GetLogs.bat file by double clicking on information technology. Then attach the new C:\MGlogs.zippo file that will exist created by running this.

   Attached Files:

9. Done as directed. Sometime while I was waiting, the Windows Security/Microsoft Automatic Updater seemed to get "unstuck". It found and installed over 40 security upgrades. There is besides a SECUrom program that showed upwards equally a rootkit on one of the scans. www.securom.com/support_faq.asp This is for a Scrabble Game past Hasbro.

   Attached Files:
10. 

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Fellow member

    Try over again with another script with a slight alteration to it but following the aforementioned instructins equally before.

    And then merely adhere the CF log.

    Attached Files:
12. 

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Carry with me some more as I further discuss what steps we have next.

13. 

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Okay, let me ask, at this point, are you really all the same experiencing any malware issues? Tell united states of america how things are running, please.

14. I volition set this back up at my mother-in-law'south place and meet how it goes.
    thanks for all your assist.

15. 

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No trouble.

---

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Cyberspace Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds

---

colemananded1945.blogspot.com

Source: https://forums.majorgeeks.com/threads/malware-and-rootkit-infection.223709/

Share this post