Continuing rootkit(s)

Although I did a clean install sometime back and don't visit risky sites (AFAIK), I have been infected with rootkits and trojans that seemed to get past my Comodo (free) firewall and MS Security Essentials.

On 3 occassions when I left the PC on overnight and connected to my internet cable (but not logged on), MS Security Essentials caught trojans, so it seems like I may be the object of attack.

I have used various antivirus and antirootkit programs to remove junk, especially ComboFix. (BTW Malwarebytes seems pretty powerless to me, as compared to Super Antispyware).

Anyway, the computer slows down, and I end up going to safe mode to run cleanup programs, but the problems return.

These scans were all run in Safe mode. The OS is XP Pro, SP3.

 

more logs.

Thanks - I'm optimistic that your experience can clean this up (where I can't).

 

You have a lot of programs installed that I would not recommend. At least 4 anti-rootkit programs that have left traces everywhere on your hard drive as well as multiple registry cleaners. I wanted to remove all of these but they are not actually considered malware.

What actual problems are you having as your logs are clean from malware so far.

Can you run MGtools.exe from the root of C:\ (not from your desktop!) while in Normal Mode?

Attach that MGlogs.zip when finished.

Feel free to attach the logs from MSE that found something.

 

?? each program was downloaded right here at MGs!

Yeah - I've tried every antirootkit program I can find....about half are worthless in today's environment.

1. computer becomes slow to the point that nothing happens
2. computer starts giving me messages on every program or process that I try to initiate that I don't have authorization to run it.
3. Combofix deletes 1-3 files (which I later have to do again)...the deleted file in the ComboFix log is about the 3rd or 4th time I've deleted that. When I delete in Safe Mode, I go to Hiren's CD and delete various files (Restore etc) before rebooting...

_Maybe the logs_ in question aren't an adequate tool anymore...actually, I thought the AVZ log might have some clues in it...

Dunno - I will try and get back to you.

Eh, those are long gone...

Thanks, I'll be back with more.

 

Here is part of the problem why your PC is slow. With that amount of RAM, I would not recommend running any type of AV on the PC until you upgrade as it would most likely drastically slow it down. For Windows XP, we recommend at least 1GB of memory.

Yes they are on MGs, just not something we recommend in the Malware Removal forum. We find that registry cleaners often do more harm than good. And just about all of those anti-rootkit programs you have installed a driver on the system that runs in memory thus using more of your already very limited resources.

The logs are actually very thorough as MGtools is updated on a daily basis now as newer infections are hiding in other places on the hard drive, the same applies to ComboFix and the other anti-malware programs that we request users to run first.

 

Yeah, I read that a lot. Problem with the concept is - I have experienced the computer being much faster just as it is...except for the root kits or trojans...and the AV seem to run pretty good until artificially constrained by malware..

...but, back to what I'm supposed to be doing...
.

 

#4 evidence of trojan/rootkit/whatever: SpywareBlaster has one restricted site that is set as "enabled" along with all the others, but on every boot is disabled...

 

Actually: “Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item”

 

Attach the MGlogs.zip whenever you ready.

 

Evidence #5 of rootkit: see Rogue Killer log - the hosts changed yesterday, triggered by ??

MGTools wouldn't run in Normal mode. I have attached a fresh MG zip run in Safe mode, and a MGzip_11-12 run on Hirens live CD.

I have also attached 3 GMER logs run on Hirens live CD. These (and AVZ logs) seem to indicate that ntoskrnl.exe and other MS files are corrupted. If I can find certified clean copies on the internet, I could change those while running on Hiren's CD.

BTW my previous comment about some methods perhaps not being effective anymore, was mostly about using Malwarebytes which doesn't seem to find any problems anymore for me (although SuperAntiSpyware and Spybot do).
Combofix CERTAINLY works - its the most powerful antirootkit I've used. MGtools I accept as being effective.

BTW, since my scans were showing MS SEcurity Essentials files as being unscannable....I uninstalled it via revoUninstaller maximum method. I also removed SpywareBlaster, thinking that perhaps it was compromised...

 

Oh yeah - MGtools.zips

 

This is perfectly normal. Your hosts file is modified by Spybot's Immunization feature. RogueKiller is just listing the contents of the hosts file.

Give me some time to review the rest of your logs.

By the way, problems are you having when you try to run MGtools.exe from normal mode? Tell me exactly what happens.

 

Another rootkit BTW - my Comodo firewall showed an outbound connection to 226.178.217.5:21328..sending out 829.5kb....I have been unable to ID this IP...I killed it of course, but it will be back...

ADDED: I also uninstalled Mozilla Firefox, because the Comodo antirootkit found 3 Smitfrauds in it earlier (which I had of course removed) but perhaps Firefox had additional problems...

 

Hold off on this as I do not think it is a good idea. Let's run a few more scans.

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

Please download OTL by Old Timer to your desktop.

• See the download links under this icon:
• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Change Drivers and Services to show "All"
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  /md5start
  atapi.sys
  csrss.exe
  explorer.exe
  ntoskrnl.exe
  regedit.exe
  services.exe
  svchost.exe
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\software\microsoft\windows\currentversion\run|exe /rs
  hklm\software\microsoft\windows\currentversion\runonce|exe /rs
  

• Now click the button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

 

requested logs

ooops, my OTL file is 2000kb....I better run it as 30 days of files instead of all files...

 

Can you run it how the link tells you to run it? Same with OTL.

 

Yeah, I fouled up TDSSkiller

OTL is now 200 Kb

 

Rerun TDSSKiller using the "Detect TDLFS file system" feature again, but this time; when it detects the above -- Allow TDSSKiller to delete it. This is the only thing I want you to remove at this time.

The rest of your logs are clean.

Let me know how your system is running afterwards.

By the way, all of your ntoskrnl.exe files are clean. MD5 on each is legit.

 

Done - log attached.

I'm glad to hear that ntoskrnl.exe is good.

I still can't quite square the problems I think I've experienced, with a clean system...

I'll boot into Normal and see how it runs...and whether I can then run MGtools...

Thanx - I'll be back.

BTW - is there a good site for me to check out that IP?

 

http://www.ip2location.com/free.asp - This is the one I typically use but I am not finding anything on that IP.

 

OK - it seems to be running well, and on startup the screen pops up almost immediately (a great improvement).

My WinPatrol free keeps popping up a question whether I want to allow run32dll.dll to run as an app....and I keep checking "no" because it smells like a malware problem.

A datapoint: the IP I posted previously is from Spybot Search and Destroy.

Thanks for working through this with me.

 

Another program I would not recommend using

Glad you figured out what that IP address was from.

You're welcome. Surf safely!

 

Well, OK....why? Is there something specific, or just a philosophical point of view?

.

 

It's just my opinion. Your logs are clean yet this program is making you believe that you still have malware on the PC.

 

OK update:

I had reinstalled Microsoft Security Essentials (MSE), after having removed it for this cleanup process in this thread. I also have Comodo free firewall installed, and Microtrend RUBotted....XP Pro SP3...

Yesterday I leave but I forgot and left my PC on. On my return, I find my MSE turned off and I can't turn it back on after many attempts.

I run Combofix and nothing. I run AVZ and it identifies epploc_86x.msi as a trojan or worm and I go to Hiren's and remove it (I have had to do this before). Now my MSE is on and running fine....until the next time.

Apparently someone knows how to get thru Comodo and MSE, so I need to permanently install a different antivirus that isn't hackable.

Any suggestions?

 

http://r.virscan.org/c8e1993aee44a9e949201f7c9c967f1e
http://f.virscan.org/epploc_x86.msi.html

Could have just been a fluke...

Unfortunately, there's no one AV that is completely untouchable. The malware coders are always at least one step ahead of the AV companies.