Rootkit Not going away

[officialvaltor]

So recently I have been getting random popups by unisales. So i tried using my McAfee Internet Security to take it out but it did not work. It was stuck on something called rootkit and then it just skipped it. So I downloaded a software called Malwarebytes and scanned it. It found and deleted the malicious software. However after a minute or two i still had unisales. I tried deleting the chrome extension, but it did not work. So I scanned again, but this time it said it was clean. So afterwards, I tried anti-spyware. But this time I tried it in Safe mode. However the same thing happened. It said deleted it but it came back. I tried it again with Norton power eraser. Same result. I am really frustrated and since I am a newbie I dont know what to do. Can someone please help me get rid of unisales?
Thank you.

Additional Information: PC runs windows 8.1 Pro 64 bit

 

[voyagerfan99]

Well unfortunately it looks like Combofix will be out of the question in this case. Let's get you started though so John can help you out right away.

Please open Malwarebytes and post the log from the scan you did.

Also, please run OTL (directions below) and post that log.

Download OTL to your Desktop


•Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
•Click on Minimal Output at the top
•Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
◦When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Just post the OTL.txt file in your reply.

 

[officialvaltor]

Unfortunately I uninstalled Malwarebytes. Should I just proceed to OTL?

 

[voyagerfan99]

Check here if the logs are still available: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs

You may need to enable hidden files and folders to find it. Click on View in the explorer window and tick the box for Hidden Items.

 

[johnb35]

Lets do some different scans first and then will have you rerun OTL.

1.

Please download and run TDSSkiller

When the program opens, Click on change parameters. Put a check next to detect tdlfs file system, click ok.

click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

To remove the infections simply click on the Continue button and TDSSKiller will attempt to clean them or remove them.

After trying to clean them it will pop up with the results of the scan and its actions.

Please reboot the system if asked to do so.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it example, C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please open the log and copy and paste it back here.

2.

Please download AdwCleaner by Xplode onto your Desktop.



•Please close all open programs and internet browsers.
•Double click on adwcleaner.exe to run the tool.
•Click on Scan.
•After the scan you will need to click on clean for it to delete the adware.
•Your computer will be rebooted automatically. A text file will open after the restart.
•Please post the content of that logfile in your reply.
•You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

3.

Please download Junkware Removal Tool to your desktop.

•Shutdown your antivirus to avoid any conflicts.
•Very important that you run the tool in this manner:
Right-mouse click JRT.exe and select Run as administrator
Do NOT just double-click it.
•The tool will open and start scanning your system.
•Please be patient as this can take a while to complete.
•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
•Post the contents of JRT.txt in your next message.

 

[officialvaltor]

TDSKiller

https://www.dropbox.com/s/y55atiix1bsbhfl/TDSSKiller.3.0.0.44_22.01.2015_14.47.29_log.txt?dl=0

 

[johnb35]

Rerun OTL now but this time only post the OTL log not the extras log.

 

[voyagerfan99]

Just wait for John. He's probably been at work all afternoon.

 

[officialvaltor]

Oh ok thanks

 

[Agent Smith]

Since John hasn't posted. Try this.

Run Autoruns and save the ARN file. Upload here.

If it's coming back it could be a scrip auto starting a file.

https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Run Hijackths and post the log here. http://sourceforge.net/projects/hjt/

John for some reason doesn't like Hijackthis, but it is still usefull. In fact delete the wrong file with hijackthis and you nuked your OS. Plus over 21,000 downloaded it this week.

If I find the file I'll have you run Freefixer and nuke the little bastard.

 

[Punk]

Since John hasn't posted. Try this.

Run Autoruns and save the ARN file. Upload here.

If it's coming back it could be a scrip auto starting a file.

https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Run Hijackths and post the log here. http://sourceforge.net/projects/hjt/

John for some reason doesn't like Hijackthis, but it is still usefull. In fact delete the wrong file with hijackthis and you nuked your OS. Plus over 21,000 downloaded it this week.

If I find the file I'll have you run Freefixer and nuke the little bastard.

Why would you have him run Hijackthis when the whole information you get from HJT logs are on OTL too... I suggest you read the logs before posting this...

 

[johnb35]

First of all... If this is a business computer then please do not continue and contact the network admin to help you remove unwanted programs. We do not know your setup so don't want to delete anything required. Secondly... You have multiple virus scanners installed.

Mcafee
Lavasoft

You will need to remove one of them and keep the other. Having multiple virus scanners installed will cause conflicts.

If this isn't a business computer then please continue.

Run OTL again but this time copy and paste the following into the custom scans/fixes box at the bottom and then click on the run fix button. Copy everything inside the code box.

:OTL
PRC - File not found
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\..\SearchScopes,DefaultScope = {BDF61FAE-9D19-40F0-8F34-688DEB334CA9}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{A6DB4DF1-3924-43E3-B505-917C861F0070}: "URL" = https://search.yahoo.com/search?fr=mcafee&type=B011US0D20140703&p={SearchTe rms}
IE - HKCU\..\SearchScopes\{BDF61FAE-9D19-40F0-8F34-688DEB334CA9}: "URL" = http://securedsearch.lavasoft.com/results.php?pr=vmn&id=webcompa&ent=ch_WCYID10088_c net_150121&q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyOverride" = <-loopback>
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Keshav Muralitharan\AppData\Local\Google\Update\1.3.25.11 \npGoogleUpdate3.dll File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Keshav Muralitharan\AppData\Local\Google\Update\1.3.25.11 \npGoogleUpdate3.dll File not found
O4:64bit: - HKLM..\Run: [] File not found
O15 - HKCU\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: sony.com ([]* in Trusted sites)
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\osf - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=euc-jp - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=ISO-8859-1 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=MS936 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=MS949 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=MS950 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=UTF8 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=UTF-8 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=euc-jp - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=ISO-8859-1 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=MS936 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=MS949 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=MS950 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=UTF8 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=UTF-8 - No CLSID value found
O18:64bit: - Protocol\Filter\ica - No CLSID value found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O30:64bit: - LSA: Security Packages - ("") - File not found
O30 - LSA: Security Packages - ("") - File not found
O30 - LSA: Security Packages - (wsauth) - File not found
[2015/01/12 22:05:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\unisaleS
[2015/01/12 22:05:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\UnnIsAleS
@Alternate Data Stream - 237 bytes -> C:\Users\Keshav Muralitharan\OneDrive:ms-properties

:Commands
[EMPTYTEMP]
[REBOOT]

Also, if you don't know what these are related to then please manually delete these files.


C:\Users\Keshav Muralitharan\Desktop\123.exe.lnk
C:\Users\Public\Desktop\123.lnk


After the system reboots, let me know how everything is.

 

[officialvaltor]

Im Sorry for late response! This is not a business computer its a personal one. and when i ran the code, it froze on : PRC - File not found
should I try running without that line of code?

 

[johnb35]

yes

 

[officialvaltor]

It still says Not responding and freezes

 

[johnb35]

I changed the code box to a quote box just in case you didn't copy everything correctly. Please make sure you include the line that says :OTL.

I'm not sure why it would be freezing.

Can you try it in safe mode?

 

[officialvaltor]

asd

 

[johnb35]

Can you upload that photo to photo sharing site like imageshack or photobucket and then give me the link to it? Too small to see.

 

[johnb35]

Ok, I've removed the proxy entries from the fix. Please copy and paste the entries into the custom scan/fixes box again and click on the run fix button. We will get rid of the proxy setting a different way if this works.

 

[officialvaltor]

Still same result. Freezes and quits D: