Possible malware/rootkit; also possible fp's from cleanup scans

Hello,

I hope you can help me with a possible malware/rootkit infection. Also, when running your XP cleaning programs, two infections were reported that I believe are false positives, and I would like to report them to the appropriate vendors. I submitted them to VirusTotal.com and both scored 0/35.

The computer is a Thinkpad T60p with XP SP2. In early June (I think June 2), Comodo Firewall reported dangerous behavior from a new program. I shut the program down, but I believe it may have partially (or completely) planted an infection before I did. However, I have not noticed any obvious malware-induced behavior, such as browser hijacking or loss of network connectivity.

I've run the MG cleanup procedure for XP and attached two zip files with all the logs. I also ran Gmer and included its log as well.

Thanks for your help,

Charles

 

Thanks. It's an awesome site! I really appreciate your clear instructions for cleaning my machine.

ComboFix quarantined a weirdly-named file, but VirusTotal gave it 0/35. The CF log said:

Code:

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )

C:\WINDOWS\system32\fddeabd0_r.dll

No, and I can't find it in the registry (except for an MRU entry, which I deleted). VirusTotal gave it 4/35. I've attached the report and would appreciate your advice.

Also, is there a way to eliminate the kernel code references to ComboFix that GMER found (after I did the ComboFix uninstall):

Code:

---- Kernel code sections - GMER 1.0.14 ----

?    Combo-Fix.sys The system cannot find the file specified. !
?    C:\CFcf89\catchme.sys  The system cannot find the path specified. !
?    C:\WINDOWS\system32\Drivers\PROCEXP90.SYS     The system cannot find the file specified. ! 

Thanks for your help!

 

The version number is 1.0.14.14536 and the language is Polish ... just like Gmer. (Although it isn't listed in Gmer's uninstall script -- gmer_uninstall.cmd -- and it is dated one day after the Gmer files.)

I did. I also examined its contents and it is clear it was created by ZTree, my indispensable file manager (http://www.ztree.com). <testimonial-aside>I've used it for about 10 years and without it I feel like I'm flying blind. I was surprised not to find it in the MG software library.</testimonial-aside>

I used the /u parameter (after first making a copy of the quarantine folder and log).

 

Thanks. I'd like to avoid fp's in the future, and I have no idea where the leftover "kernel" references to the drivers are located, or how to delete them. The drivers themselves were deleted in the uninstall.

Done.

No. ZTree keeps everything in its own folder ... and the only DLLs it uses are unrar and unzip32.

I haven't played it for years (decades?). It's never been installed on this machine.

 

I'll do that. I've also sent zork.dll in an email to Gmer, asking if it is his. I'll post his reply here if he answers.

Before trying the registry fix, I rebooted a few times, then ran Gmer again. This time the offending messages did not occur (with or without zork.dll). I therefore searched the registry for catchme and PROCEXP90 and found the following:

Code:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP90\0000, Service, PROCEXP90
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PROCEXP90\0000, DeviceDesc, PROCEXP90
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_PROCEXP90\0000, Service, PROCEXP90
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_PROCEXP90\0000, DeviceDesc, PROCEXP90
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP90\0000, Service, PROCEXP90
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PROCEXP90\0000, DeviceDesc, PROCEXP90

There was nothing more in your posting, so I couldn't "continue on with the below". Is there something more I should do? Should I apply your registry fix even though the problem appears to have been solved?

 

The drivers and the references to them both seem to be gone now, so all is well, for which I thank you.:-D As a last check, I ran the new 3.8 Rootkit Unhooker, and the only thing it found that I don't understand is this:

Code:

Rootkit Unhooker kernel version: 3.8.340.550
==============================================
>Hooks
ntkrnlpa.exe+0x0002CB40, Type: Inline - RelativeJump at address 0x80503B40 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006DFFE, Type: Inline - RelativeJump at address 0x80544FFE hook handler located in [ntkrnlpa.exe]

This didn't show up on any of the other logs. Is it a problem?

 

The registry cleanup worked fine. The keys (if they ever existed) are gone and the values are gone as well.

I did have some questions about the prevention recommendations with regard to my setup and habits. Here is the security strategy I came away with; I'd appreciate your comments:

1. Firewalls:

Router with SPI and NAT. Wireless restricted to specific MAC addresses.

Comodo Personal Firewall

2. Real-time Protection:

Comodo Defense+ HIPS.
Avira Antivir Personal with Guard enabled.

3. Scheduled nightly scans:

Avira Antivir
SpybotSD

4. Occasional rootkit scans:

Gmer
Rootkit Unhooker

5. Occasional anti-malware scans:

Super AntiSpyware
Dr.Web Cureit
MalwareBytes

6. System Restore

Not active. Instead there is a scheduled nightly backup of all disks using Image for Windows (which allows individual files to be restored, as well as full partitions). I keep two to four weeks of backups on a NAS. Also, I save the registry with ERUNT before program installs.

7. Browsing

Internet Explorer is used only for Windows Update, and for rarely used things like online virus scanners that require ActiveX. Nevertheless, I immunized it with Spybot.

Firefox 3 with phishing and attack site blacklists enabled. Also NoScript and AdBlockPlus. In addition to ABPs usual blocklist, it also blocks all sites on the MVPS list of 40K malware sites.

Firefox asks permission before allowing any cookies. I allow them only for the session, unless they are from trusted sites and have long-term value (such as to keep me logged in, or remember preferences).

I didn't install SpywareBlaster, or let Spybot immunize Firefox or create a Hosts file, because I believe they would just duplicate the above protections.

Did I get any of this wrong? Is there anything else I should -- or shouldn't -- be doing?

 

Yes, they run at night and at different times. The image backup also runs at night, and at a different time.

I can read them a bit, enough to ignore hooks caused by Comodo or Antivir or ATI. Also, I can compare logs to see if anything has changed. If there are hidden registry entries or files, I can research them to see if they are harmful. If I ever do get hit with something, an expert (from Major Geeks? :major) might be able to tell from the logs when it happened, and I might have a backup image from before that date to use if the system can't be cleaned.

But I would like to learn how to read them. Can you point me to a source?

Actually, I had read that article and comments beforehand. I've noticed the 4-second delay he mentions in loading Firefox, but (as he said) there is no perceptible delay when browsing. I have a fast cable connection so the bandwidth for maintaining the list isn't really an issue for me. (Doesn't it use the same bandwidth for ABP as it would if I used the same MVPS list as a host file?)

I realize that ABP doesn't block access to the sites, but Firefox 3 has a new built-in service that does that job (on the Security tab). It uses a Google service and the StopBadware.org database. I prefer it to a hosts file because it is restricted to genuine attack sites and phishing sites, and it allows me to override a block if I think their database is wrong.

Please know that I took your comments very seriously, and I researched, downloaded, and examined the content of every hosts file mentioned in the Wikipedia hosts article. With a single exception (Airelle), they all mix genuine threats with ad servers, porn, gambling, and whatever else offends their authors, and lack any method for automatically selecting just the categories one might need. And being hosts files, if you disagree with a block you can't just override it (which is why I prefer FF for access blocking and NoScript and ABP for object blocking).

While doing the hosts research, I found McAfee SiteAdvisor, and I was impressed with its disciplined methodology for identifying dangerous sites. So I installed the SiteAdvisor Firefox extension.

I also installed SpywareBlaster's IE protections, in case I ever use IE again.

 

Thanks. I read it and it helped. Now where can I learn how to tell (as you did a few posts ago) whether an inline jump is ok or whether it indicates a possible rootkit?

You can download the ABP filters just once, same as a hosts file.

Wouldn't that depend on how often the hosts file is updated? If you choose automatic updating of ABP filter subscriptions, updates are only downloaded when the filter set changes. To get equivalent protection from a hosts file, you'd have to download hosts file updates when they occur.

I've taken your advice on all of those, including Spyware Blaster, for all of which I thank you. The only difference is that since FF is my only browser, and since I have no practical bandwidth limitations, I've also opted to use automatically updated FF and ABP blocklists.

 

I understand. Like you, I'm using Spybot and SpywareBlaster for IE protection.

Charles, thanks so much for your advice and assistance. It was a pleasure to work with a professional of your calibre.