possible rootkit? logs attached

Discussion in 'Malware Help (A Specialist Will Reply)' started by greasemonkey, Jun 2, 2009.

  1. greasemonkey

    greasemonkey Private First Class

    Hi,

    first of all, I'm not too sure if I am in fact infected, but recent events have raised my paranoia levels.

    First of all I'm running the Windows 7 64bit RC, Build 7100 which was downloaded from Microsoft (not one of the leaked builds with built in trojan).

    I've been noticing that my machine has started behaving oddly, random slowdowns, unexpected net activity etc etc.
    Hmm, I thought, something must've gone wrong when I installed something, went to system restore only to find that system restore had been disabled?!... I certainly hadn't turned it off manually.

    I ran Malware Bytes anti malware and it found some randomly named .sys files which it classified rootkit.bagle, which it then quarantined and deleted successfully. (logs attached)
    I ran Super Anti spyware to find nothing.
    I then tried to run a couple of online scanners, trend micro (crashed, couldn't install kernel), Kaspersky (also wouldn't load).
    I did run combofix, but, it spat out a 64bit compatibility error... I should have read some more before trying that.

    I've tried running various anti-rootkit programs (gmer, pavark, rootkit buster) all seemed to have issues of some sort, not 64bit compatible or operating system not supported type errors.

    I ran Findykill as per the post describing how to remove bagle, It found a couple of files in my prefetch folder (2 logs attached)

    Upon further reading, I suspect the initial files found by MBAM to be false positives as I had been mucking about with the anti-viral toolkit AVZ4 a few weeks ago, which apparently loads drivers with randomised letters such as the ones found.

    But, what concerns me is the files that findykill found in the prefetch folder C:\Windows\Prefetch\PATCH.EXE-084DF025.pf & C:\Windows\Prefetch\WINUPGRO.EXE-CCC1740C.pf and, how did system restore get disabled?

    So, my question is
    Are the issues I've had with various antivirus/antirootkit programs, problems with the 64bit OS or do you think there is something more sinister at work?
    I'm a bit of a newbie with 64bit, and am still getting my head around the compatibility issues faced, but hopefully someone can shed some light

    Thanks for your time
     

    Attached Files:

    greasemonkey, Jun 2, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Those were just false detections. As you suspected, they are from AVZ4. AVZ4 will typically cause drivers like the below to be seen:
    C:\WINDOWS\System32\drivers\vdezmza0.sys
    C:\WINDOWS\System32\drivers\utezmza0.sys

    The WINUPGRO.EXE file is a common sign of a Bagle infection but you show no signs of a bagle infection and this file would normally be seen loading at startup and the registry value would be called drvsyskit if you had a Bagle infection.

    Unknown.

    Some are issues due to 64 bit compatibility. Many programs do not support it. And some may also be issues with Windows 7 compatibility. You could inquire on specific compatibility of certain programs with Windows 7 by posting in our Software Forum.

    Your logs are clean. You are not having malware problems.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. After doing the above, you should work thru the below link:
     
    Last edited: Jun 4, 2009
    chaslang, Jun 3, 2009
    #2
  3. greasemonkey

    greasemonkey Private First Class

    Hi chaslang,

    Thanks for having a look, I am quite relieved to know there's nothing in here, but, I am curious to know how winupgro.exe ended up in the prefetch folder?

    Most strange

    I've learned heaps from reading these forums, so will look into compatibility issues in the software forum...

    Again, thanks heaps,

    GM
     
    greasemonkey, Jun 4, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Honestly I cannot answer that since no other signs of a Bagle infection are showing.

    You're welcome. Surf safely.
     
    chaslang, Jun 5, 2009
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds