Possible rootkit infection?

Welcome to Major Geeks!

Before we can continue, you need to put your PC into normal startup mode with MSconfig. This was requested in step 1 of the READ & RUN ME where we stated not doing this would delay getting help. After doing this, you will need to attach a new MGlog.zip file by doing the below.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file which will be created.


And just to check for rootkits since you are worried about them, run this Running GMER to detect rootkits and attach the requested log.

 

Okay then based on the logs you have attached, there is only a little minor cleanup. Mostly of things that never uninstalled properly due to you having been using MSconfig.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dumps_startup
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O23 - Service: G - Unknown owner - C:\DOCUME~1\David\LOCALS~1\Temp\G.exe (file missing)

After clicking Fix, exit HJT.



Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now run Ccleaner!

Now you can fix your clock from Control Panel ->Regional and Language Options and then on the Regional Options tab click the Customize button then on the next form click the Time tab. Then change the Time format to what you want. It explains there what the lower case and upper case letters will do. Upper case H is giving you 24 hour clock settings.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.



Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes it was but it does not need to be there as a permanent service wasting system resources while the program is not even running.

Not accoring to any of your logs and seeing as how you had multiple other rootkit scanners installed, you probably noticed they found nothing too.

Scans crash all the time for non-malware reasons. Could be problems within your Windows OS or conflicts due to other software you are running.

The only other items on your system that I even wonder about are the below

Code:

2008-06-11 23:44 . 2008-06-11 23:44 1,720,086 --a------ C:\WINDOWS\system32\TmpA24604843
2008-05-30 00:10 . 2008-05-30 00:13 22 --a------ C:\name.reg
2008-05-29 21:32 . 2008-05-29 21:32 30,001 --a------ C:\WINDOWS\gktemp.wat
2008-05-29 21:25 . 2007-12-24 18:50 926,720 --a------ C:\keymaker.exe
2008-05-27 19:37 . 2008-05-27 19:37 0 --a------ C:\WINDOWS\system32adsŽñz.JPG

The last one I would just delete immediately since it is zero bytes and due to the strange name.

 

First I see that you are working on another forum here:

http://forum.sysinternals.com/forum_posts.asp?TID=15235&PID=73478

It is a waste of precious resources (the malware fighters) to do this and it can be dangerous and cause confusion for the two fighters since they don't know about each other.

Please choose one forum where you want to work and remain there.

An FYI for you, the user named CooKooBird who posted in the 7:29 PM message to you is giving you incorrect information. MEMSWEEP is not malware. It is from you installing Sophos AntiRootkit. The C:\WINDOWS\system32\1D.tmp file is also part of Sophos.

Also CooKooBird implied that Flashget may be a problem and it is not. You do not have the trojan. You downloaded and installed the Flashget Download Manager yourself which is a valid program.

 

I am taking you serious. All I had stated was that based on the info you had provided be up to the point of my comment was that there were no problems found. You more recent logs show some additional data that bares further investigation. But there is a possibility that the file spho.sys may already be gone or it is just hidden beyond the ability of the tool to find. I will think about what to do next and get back to you.

 

This is more than likely not a problem. It is just a ROT13 encoded message. If you paste the HRZR_EHACVQY:%pfvqy2%\GUD\Jvagre Nffnhyg\Qnja bs Jne - Jvagre Nffnhyg.yax string into the below link

http://rot13-encoder-decoder.waraxe.us/


and translate it you will see the below:

UEME_RUNPIDL:%csidl2%\THQ\Winter Assault\Dawn of War - Winter Assault.lnk

Is this a game you play?

 

Sorry but CooKooBird is incorrect. The MEMSWEEP2 registry keys are all added when you install and run Sophos AntiRootkit. They appear after running the scan the first time. Actually they appear almost immediately after you start the scan. The tmp file is also part of the scan.

Getting proof is rather simple. Just run Sophos AntiRootkit and you will see it show up. You don't need to do what CooKooBird suggested in his 8:14pm post because MEMSWEEP2 is from Sophos AntiRootkit. We already know this due to years of malware removal experience.

 

Two possible reasons you cannot find it.

1. One would be based on the ability of the the malware (if it is malware) to hide the file. You would normally not be able to see files hidden by a rootkit program using normal programs so that would be expected. The specialty tools will normally find and reveal the files though. However the tool you ran only pointed out hooked entries in the registry and did not find the file when you had it check. Thus the file either does not exist or it is capable of hiding from the tool you ran.
2. The second is that it may already be gone and all that the scanner is finding is regisrty information that is left over.

Download Registry Search (see the link titled RegSearch Download Link)

* Extract the files from Regsearch.zip into a folder.
* Doubleclick regsearch.exe to start the program.
* Enter spho.sys in the top area of the form and then click "OK".
* Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

 

There is a very strong possibility that this driver is related to protection software for the games that you have installed. Especially since you say it hooks the CD ROM driver. If you do find it and remove it, you may break the games that require it to be in place.

You create a bootable CD like below and use it to bootup your PC. Since Windows will not really be running from your hard disk but rather from the CD, you will be able to hunt around on your hard disk to see if the file can be located. Any protection put into place by any stealth/rootkit like software will not be loaded and will not block you from finding the file if it really exists. Just remember that if it is for your games, they may not work anymore.

Make this CD which should be in everyone's tools chest anyway: UBCD4Win

 

The link on their web page explains it. See How to Build in the left column: http://www.ubcd4win.com/downloads.htm

It will boot up to a Windows like environment. It is rather intuitive to figure out. It has a much better Explorer interface built in so it is easy to hunt around thru folders.

Ours will be updated soon but you can just download it from the author in the meantime.

 

I suggest that you post a message in the Software Forum explaining your problem with creatng this CD. If there are any error messages, provide the exact word for word message. I have built these CDs several times and never had a problem. Did you copy your Windows CD to the hard disk as instructed? If not, this is often the cause of failures.

 

As I said from the beginning.... your logs were clean and we only did some minor cleaning to remove some unnecessary items. There was no malware as far as I was concerned.

It is not a malware scanning tool per say. It is just a great tool. But it does allow you to run scans since it has a whole bunch of added software that is installed with it. To make the CD, you need a real Windows bootable CD.

 

You're welcome. Surf safely and be sure to check out the below.

How to Protect yourself from malware!