Malware and possible rootkit infection

I have a Windows XP Pro computer which I may have malware on it. I have tried to keep my system protected by adding various utilities from other sites.

I just had a new hard drive and Win XP Pro reinstalled professionally. I installed Zone Alarm pro Internet Suite 6.5 2007 for AV/Spyware protection (I used to use Norton Internet Security). I also have added many programs recommended at spywarewarrior.com, merijn.org. majorgeeks.com etc. These include Spybot, Adaware, IE-Spyad for Zoned out, Spyblaster, some Sysinternal programs from Microsoft, (also loaded at times AVG, Super-AntiSpyware among others)

After the re-install I had to re-update IE6 to IE7 with some problems doping so, possibly getting infected in the process too. I frequently get redirected to a new start page with my normal one changed. I try to use Firefox when possible.

I was previously infected several months ago with a Smitfraud virus…ran Smitrem by Noah Fear which found 2 programs –I have run this again and still find these programs so something is still lurking in my system. I must have a program etc. that is infected or I am re-downloading a program that is corrupt during my reinstalls.

I have also found unwise.exe and unwise32qt.exe on my system some time ago. Some bulletins state these may be trojans calling www.nymex.com.

I have blocked a number of sites sited as those in which these trojans might call (Smitfraud, unvise32.exe, Cadux) I still get periodic outbound attempts blocked by my firewall by these programs. I do not know what is triggering it. (ie. realsearch.cc, ecjnoe3inwe.com, dkjfwekjnc.com etc.)

I just recently tried the e-mail battery test at gfi.com which my ZA pro/Outlook Express 6 seemed to protect against . However, afterwards my ZA pro AV/Antipyware updater could not update my spyware part. Also, the My Vault and all my configs and logs were cleansed.My Help & Support is loading slow again. (I have other related posts...this may be the same problem from a program re-infecting me)

I have run numerous AV/Antispyware programs. Besides those listed above I have run SOPHOS Savcli.exe, Stinger, Pnda online Activescan2 (totalscan), Bitdefender online, Kaspersky online, Sophos anti-rootkit, Rootkit Revealer-Sysinternals. Nothing significant was found except for Adware Luke the Screenwasher? which was deleted.

I have just installed the AntiHook 3.0 and Sandboxie per Gizmo Richards site recommendations. This program has found a number of hooks.

In my Antihook logs I have found programs GLB9.tmp launching zauninst.exe; GLBC.tmp launching isafe.exe; GLBC.tmp launching unwise.exe; unwise.exe launching GLB1a2b.exe. Most of these launches are form C:\Document & Settings\ Administrator\ Local Services\Temp folder. Somehow my ZoneAlarm pro was unstalled!!! After losing my ZA pro I have used either the ZA-fee or Windows XP firewall.

Recently, I have tried installing the AVG (I keep it off with the installer handy just if need to avoid ZA conflicts) but I get Access Denied dialogs –failed code 5 (apparently my Administrator privileges were somehow changed to prevent installation of many programs) The same thing happens when I try to install Webroot Spysweeper. How can i change the registry etc. to regain these privileges?

Before ZA pro was lost it had touble updating with Windows updater and viewing certain sites (Bitdefender & myspace.com) normally. These sites, however, were viewed normal with just the Windows XP firewall.

I seem to have some malware in my system but I do not know what it is. I have run HJK and have saved logs for the startup as well. I do not know if I have a rootkit infection or something else. I would like to try to avoid re-installing my OS if possible; it is backed up on an external drive which I just got.

I ran a Trend Micro Spywarescan and it found Spyware_KEYL_ASTLOG. This changed a registry key HKCU\S-1-5-21...\SOFTWARE\NIRSOFT....

The bulletin on Trend Micro states that HKCU\SOFTWARE\NIRSOFT\AsterikLogger\Columns is added and that this spyware reveals passwords of target applications. I must have gotten infected with this when I downloaded a program, CurrPorts from Nirsoft, which was recommended by Gizmo Richards' Tech alert site.(per article "Tracing Unexpected Internet Activity".


I probably have other malware on my machine. I am attaching a current HJK, a startup config from the HJK, and a portion of a log from AntiHook 3.

I am also attaching the runkeys and newfiles. BitDefender found nothing.

I appreciate any assistance that you can give me.

 

Attached are getrunkey, newfiles, and a partial list of AntiHook 3.0 log

 

In addition to the previous postings,

Panda ActiveScan showed that everything is clean.

I did a search for unwise.exe on my system and found that program in:

prefetch folder
C:\Program files\ZoneAlarm\Mailfrontier
C:\Windows\System32\Macromedia\Shockwave8

I deleted all files associated with unwise.exe.

Also, I went to www.secunia.com:

According to this site my versions of Macromedia flash had significant vulnerabilities. I have thus tried to delete and rectify this problem.

I still do not know how to reconfigure my computer so that I can regain Administrator privileges & not get ACCESS DENIED dialogs when trying to install programs.

i appreciate any assistance in trying to find out what malware lurks on my machine and how to rectify things.

If another forum is more apprpriate or more info is needed please let me know.

 

Attached are updated HJK logs that are more current. These logs were run with all services ENABLED in msconfig !!

 

I will have to RE-READ the forum guidelines...it has been awhile since i first read them.

Panda scan was completely clean so I did not get a repoprt from them.

I will post updates as soon as I can.

Thanks for the advice.

 

Yes, both Panda nanoscan and Pando Totalscan did not find anything significant. However,on a later run the online scanner may not have been working properly( I may have been clean but the scan ran for only about 15 sec...much shorter time period than when I ran it initially a weeek ago or so.
[I realize these programs are still new and in testing phase]
.
I ran the Activescan instead and it was clean.

I will turn off my teatimer, make all other recommended changes, and re-post my HJK etc.

I'm away from my computer presently so I will do this over the weekend.

Thanks again.

 

I have re-run the malware scans per the guidelines.

I turned OFF my Tea timer on SpyBot SD.

Since I have been using AntiHook 3.O I modified the settings to ALLOW all so that it would ONLY log events. (This did not startup in the SAFE mode anyway.)

I replaced my JAVA 1.5.0 update 11 with the more current version Sun JAVA SE 1.6.0 runtime environment 6.

I changed MSCONFIG to Normal mode so that everything should load up.

CLEANING:

Rebooted in Safe + Networking mode
Cable internet was TURNED OFF during these initial steps
Ran CCleaner to clean out temp cache and files
Zone Alarm free and AntiHook 3.O were not started.

Ran Spybot SD ---->clean (nothing found)
Ran AVG 7.5 trial (fresh download)-----> Clean

Online scans
Turned on Zone Alarm free then turned on cable interent connection
Ran Bitdefender ---->clean
Ran Panda Activescan ---clean (no log given to me)
Ran Panda Nanoscan & Totalscan(Activescan2)---->clean

Rebooted computer to Normal mode

Ran Getrunkeys and Newfiles and saved logs
Ran HiJackThis from C: folder and saved log
Also ran the startup list option in HiJackThis and saved that log

I tried activating the HiJackThis to load at startup but it does not seem to be doing it. (I do not know if Tea timer (reactivated after running the above) is affecting this.

Also,
Ran Smitrem ---->clean (saved log)

I am attaching logs for Bitdefender, Getrunkey, Newfiles, and HiJackThis. I am also attaching the HiJackThis startup list log.

Currently, my Zone Alarm free (which i am using instead of ZA pro until these issues are fixed) does not seem to load up when I start-up my computer. This is despite having placed a check mark in the ZA preferences to "Load at Startup"; ZA also is not appearing in the startup list as checked via both Spybots function and MSCONFIG.

I tried an uninstall of ZA-free but I got a dialog " You do not have access to make the required system configuration modifications. Please rerun this installation from an Administrators account". (ZA seemed to uninstall anyway as it was no longer seen on my start program list.

I tried to re-install ZA free from a fresh installer from the site but I get a similar error message as above stating that i cannot install this unless in an Administrators account.

Somehow my Administrator account settings/privileges were altered by some program or malware. Certain programs do not seem to be loading up properly. My Windows Update does not seem to be working when I try to run it manually.

I appreciate any assistance that you can give me in solving these problems. Somehow some malware that may still be "lurking' in my machine has made some system changes.

 

Attached are copies of my HiJackThis and the HiJackThis Startup log.

If there is any information that you need please let me know. I could possibly attach the Tea timer log-which might be help ful- if you wish to see it.

I previously posted a log from the AntiHook 3.0 which might explain what was going on with unwise.exe program along with other problems.

I did not post logs for Panda, Spybot, AVG as they were all clean and logs were not given to me.

Thanks for your assistance.

 

You are probably right with me having too many protection programs. i installed most of them after my Zone Alarm pro failed a week ago in my attempts to debug things myself.

I did install the Super AntiSpyware program several weeks ago and I have had problems with it still loading in my startup group even after having used their uninstaller and then the Add/Remove programs. I have finally been able to get rid of it by deleting various keys referencing it in the registry. [!SASWinLogon constantly appeared in the startup list.] I searched SASWINLO.DLL in the registry and deleted all instances of it as well as the folders it was in if appropriate and specific to that program.---->solved ...SuperAntiSpyware is uninstalled!

Many of these programs were very difficult to remove. I tried removing them by their Uninstaller first, then by Add/Remove programs, then by the SpyBot Uninstaller, then by CCleaner uninstaller (if necessary), then by searching for remnants in folders/temp files/and the registry. Most programs were able to be removed but there may still be some remnants of some despite having done all that I could.

I removed Anti-Hook 3.0, Panda ActiveScan, Panda Nanoscan Sandboxie, and SpySweeeper.

I uninstalled AVG-free but since I am not using the ZA pro Internet Suite presently I re-installed it. (If I should do otherwise let me know). I plan on uninstalling AVG after ZA pro Internet Suite is reinstalled.

There may still be remnants of AntiHook as it was listed in the CCleaner uninstall list. Sandboxie and HHINQBTHW (from AntiHook) are still both listed in services.msc (as remnants) but there is nothing else that I know of to do to remove them.

I fixed the HJT 06 entries as you advised.

Windows Update service now works as it should.

Current Problems:

In addition to the above I uninstalled my Zone Alarm-free. However, I am having difficulty re-installing it. I have tried deleting the Zone Alarm C:\Windows\program files folder, the C:\Windows\ internet log folder, and any temp files and registry keys referring to it. [I did make a backup of the registry before modifying it!!] I cannot re-install the ZA pro Internet Suite from its CD either!!


After uninstalling the above programs my Spybot Uninstall program list with many programs vanished. I uninstalled SpyBot and re-installed a fresh version of it. (I saved the logs in it elsewhere and backed up the folder under another name elsewhere first.) No improvement but otherwise Spybot works fine.

[If there are any other programs etc. that you recommend uninstalling and replacing with fresh copies please let me know (ie. Adaware, my drivers...in case corrupted).]

Lastly, my Help & Support still loads slow.

Somehow I have a lot of remnants that need to be cleaned up. I do not know if any critical files were lost during all this.

I am attaching an updated HJT log and Newfiles log.

Thank you for your guidance. I appreciate any additional help that you can provide me to rectify things.

If I should continue corrections under guidance of another tech in another forum please refer me to the appropriate place and tech when appropriate.

 

I was able to get a backed up registry from 3/18/07 and I merged it into the current registry. The missing items that i would have seen in the SpyBot uninstall section were re-populated (hopefully most if not all!)

I then redeleted Sandboxie, JAVA 1.5.0, Super Anti-Spyware, Zone Alarm Suite, etc. from locations found in file folders and the registry. The HHINQBTHW and Sandboxie still are in the "Services" list even though they are not functional.

I was able to do a search in the registry and delete most items but some "remnants" still remain and are "undeletable".

My startup list seems to be back to normal. I re-ran HJT and re-fixed everything as appropriate.

My computer seems to be back to normal with the exception that I cannot yet re-install the Zone Alarm-free. Also, I need to find out how to completely get rid of the "remnants" of those above programs.

Thank you for your assistance. I think that I will re-direct further inquiries to the Software forum as you recommend.

This seems to be a Zone alarm AND/OR software compatability problem. Now a registry fix issue too from "remnants" of installed software not completely "ininstallable" by normal means.