Did I miss anything with this rootkit infestation?

[LilBambi]

After various levels of clean up yesterday, the computer appears to be working perfectly, all security features are now working again and the computer has updated versions of third party programs/plugins. No more bad things being found by scans.

This computer started acting up about 7 days ago; but apparently her grandson was playing games unattended on it the week of the 3rd of August when the new version of this ZERO ACCESS rootkit showed up on the Internet.

I have attached the logs (sadly not all logs, but the latest logs). I didn't think to save the previous ones. I saved them since I identified the rootkit.

Kaspersky's TDDSKiller newest version got the main rootkit, and latest versions of JRT and Combofix took care of much of the remnants so the firewall is now working again and I was able to reinstall MSE and other security software.

Could anyone take a look to see if I missed anything. Thanks! My eyes were crossing after nearly 4 hrs of cleanup in safe mode and normal mode on the machine yesterday.


View attachment PC_HP_9-5-2013.zip

 

[Corrine]

Hi, LilBambi.

As you by no doubt know from SNF, I'm rather tied up with real-life issues. However, I took a very fast look at the logs and didn't spot anything of substance. Perhaps Will, Tom or Donna will have a chance to check the logs and let you know if they spot anything.

 

[LilBambi]

Thanks Corrine for the cursory look. Much appreciated. I hope Will, Tom or Donna might have a chance to check the logs.

Thoughts and prayers are heading your families away Corrine!

 

[tom982]

I can't see anything of concern either, but I haven't finished my training so technically my opinion doesn't count

This struck me as odd, though:

--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - NISDRV

That's a Norton driver, but you're using MSE and Spybot. Did you have Norton installed at one point? It might be worth re-running the removal tool if you did:

https://support.norton.com/sp/en/uk/home/current/solutions/kb20080710133834EN_EndUserProfile_en_us

Looks like TDSSKiller did a pretty bad job of showing the RLO character in the log!

14:46:43.0078 0x0594  Detected object count: 1
14:46:43.0078 0x0594  Actual detected object count: 1
14:47:07.0352 0x0594  HKLM\SYSTEM\ControlSet001\services\*etadpug - will be deleted on reboot
14:47:07.0383 0x0594  HKLM\SYSTEM\ControlSet002\services\*etadpug - will be deleted on reboot
14:47:07.0601 0x0594  C:\Program Files (x86)\Google\Desktop\Install\{e943a23b-debf-e914-a4f1-74a996314f1f}\   \...\*ﯹ๛\{e943a23b-debf-e914-a4f1-74a996314f1f}\GoogleUpdate.exe - will be deleted on reboot
14:47:07.0601 0x0594  *etadpug ( Rootkit.Win32.PMax.gen ) - User select action: Delete 
14:47:09.0208 0x0248  Deinitialize success

Edit: Looks like something has changed in the way that vB, or Sysnative, shows a RLO override (0x202E). It no longer takes note of the character and instead displays it as an asterisk symbol, so the TDSSKiller log looks perfectly normal now :)

Tom

 

[LilBambi]

Good idea on the Norton removal tool. I will take care of that.Yeah, that is odd about the TDSSKiller character in the log....Thanks for checking it over Tom. Much appreciated.