rootkit or bookit?

Greetings,
About 3 weeks ago I was doing something I should not have been (live streams, never again) and the Microsoft security essentials program went nuts and my Avast and Zonealarm died instantly. MSE found about 20-25 infected files and having been in shock and my computer rendered useless within seconds, I didn't get to type the names of the malware but I do remember one was a rootkit. All the icons on my desktop I tried became useless and I thought the only option I had was format/reload. Actually it was since I couldn't do anythintg else. I came here, having used the utilities to keep my computer well fortified so I was already familiar with a lot of the Malware removal procedures. I got Combofix and had run it and it found rootkit activity during the scan after having formatted and reloaded. I did this several times and it kept removing stuff and finding some again and again...I eventually found the Malware Removal Procedures thread again and went through everything. Every time nothing but combofix found something and when rebooting it would find it again and again...In fact every time I format and reload and run the procedure I have different things pop up in the logs. Since I don't understand them, I can't say I know what is going on. I've attempted to delete mbrs, partitions with every tool at my disposal, wrote zeros and I still believe my computer is infected. The only proof I have right now is that my services list isn't showing Server in Administrative Tools, which I know is unusual for both my Windows Cds SP2 and SP3. I'll attach the most recent logs since my format and reload today, and please tell me what you think. I like to be able to do things myself but after weeks of trying I can no longer persist. Thank you. And yes, lesson painfully learned

I'll post some other logs from alternative scans you recommended in the next post and the MGtools logs.

 

Sorry I was under the impression I had to just reply to my own thread to finish not start a new thread. I've included my MGTools log, the TDSSKiller log, another Root Repeal log I subsequently did after renaming the RR file and the RootkitReveal log. Additional scans I'll post in the next. Another anomaly I noticed that I can confirm as suspicious is when I format and reload I no longer need to phone in to activate Windows since the infection. A plain scan with TSDDKiller found nothing by the way.
Thanks again

 

Here are the final scans which are from Kasp's Free scan and SysProtect. I have some of the older logs like MBR check which didn't look suspicious at all so I didn't include those. More useful info might be that when I did ComboFix a few times earlier, it failed to find anything but after a bit of use of the computer as it was after format and reloading and it did find Rootkit activity eventually. Is that odd?
Thanks again

 

Those are my renamed files for scanning as a precaution. I just gave them random names to make sure they wouldn't be blocked. Reinstalling Windows from 2 real XP CDs and Mandriva. I originally was using a flash drive for my downloading of scanners but I switched to my external and store things there rather than risk infection, unless I am really naive. I'm running Mandriva from LiveCD most of the time right now since I am sure there has to be something interfering in the boot process. I deleted the backup partition that came with the computer when I first reformatted because I know that would have been likely infected as well, I've had to try and clean someone's computer years ago and theirs was infected so I'm been aware of that as a possibility at least. Unfortunately that's about the extent of my knowledge. Is it possible to have physical memory infected as well or can something be hiding in my boot sector or somewhere else I'm unfamiliar with?

 

The scans where I could select those drives I did, I can redo them again. Which should I use for those or should I just go through the entire procedure again with the drives mounted?

Symptoms:
-Sometimes I got no symptoms until later on

-Sometimes the scans came up with rootkit activity after using the computer for a while after a format and reload.

-Sometimes after format and reload I'd get random findings like an SAS file was infected so I redownloaded them all from LiveCD not Windows.

-There are processes missing from my Administrative Tools Services like Server (I cannot recollect all the available services, but that is one I always shut down with a frsh install and no matter which Windows I use it's never there any more, no updates installed-completely fresh.)

-Activiating Windows no longer requires a phone-in since the infection (I read about this being able to be spoofed by some kits.)

-After a while icons on desktop lke IE and Windows Update weren't functioning at all and I couldn't disconnect my ethernet at will. (Can the entire update process be spoofed too?)

-I tried to run Kaspersky's Flash scan at bootup and it won't let me. (I feel I may have got rid of some other viruses but there seems to be something deeper than that.)

-Some files have been quarantined by Combofix before including a tcpip.reg file and some random files including logs and text files.

I'm not sure if this is a symptom, but when I tried to wipe partitions and make new ones, I couldn't get access to anything before the 63rd cylinder.

I have older logs but not all of them unfortunately, I lost control of my computer after the original Combofix scan. I can include the ones I do have next post if you like.

 

Ok this time I did the 2 scans recommended and for SAS I used the installed version rather than the portable. Here are the logs. It did find stuff on my external, the problem is, this was a forgotten file I hadn't run in I don't know how long and forgot I even had it. The MBAM scan found 4 files that had never been detected either by antivirus software of any sort like the SAS detected file. It took a while because it's about 1/2 tb worth of stuff to scan which is why I never scanned it when doing the recommended ones, since I wasn't running anything off there until I was doing the Malware Removal Procedure. It might have saved me some headaches. For the hell of it, since i hadn't formatted for a while, and rans some stuff I decided to give ComboFix another shot and here came the notice I was waiting for: 'rootkit activity detected!' Finally! The quarantined files was the same mentioned in my last post: tcpip.reg which I have included in this post for you to check out. It's probably the same thing I had every time. I was starting to wonder if this could be repeated and now that I am seeking help, it wasn't happening so I was worried. lol Anyway, here are the next scans' logs. Would the snapshot Combofix file be of any use?
Thanks again

 

Combofix:
Didn't quarantine file, just gave be the tcpip.reg backup. This is the most frequent result from Combofix with random files quarantined, even text or log files if I remember correctly and Superantispyware's Uninstall file when it had a .vir extension.

SystemLook:
I tried downloading them from both links and I got this error when trying to run it:
"This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem."

I even renamed the file and it didn't work.

 

I don't know if I mentioned, but my LiveCd is Mandriva, not Windows. I have Windows installed on my hdd and not Mandriva (which I'm running from LiveCd because I was assuming it would be safer to access net with the most.) The 2 versions of Windows XP I have are official: the SP2 I've been using for about 7 years, and the new SP3 one is one for refurbished computers. They are both giving me Server service and probably others unavailable while SP2 never had this issue until my recent infection. I downloaded the SytemLook file while running Windows. However LiveCd Mandriva I did download and made the cd myself from their official .iso a few years ago.

This may be useful to know as well, not sure. The BIOS for the new computer had a "security" feature for theft and I read it was a legal rootkit which made your computer vulnerable so I disabled it permanently since that was the only option. Unfortunately I only did it after the infection. I'm not worried about theft, this isn't a company computer anymore, but it likely was at one point. I also read that there's a Windows update file that was making computers vulnerable which isn't available any more but I wonder if it was or is on my SP3 cd and gets installed when I do a format and reload.

 

Just the original post I started with or focus on the Windows stuff? One final question, how come SystemLook wouldn't work?

 

Ok I did one final try, downloading it from Mandriva and it said it wasn't a valid Win32 file so that second one was for Linux I guess.

Thanks for your time and patience, hopefully there won't be a next time. I say hopefully because if it does, it would be something out of my control, not because I'm going to be doing anything stupid any more

NOS69

PS I've decided to try out Comodo, so hopefully that will work better than the last ones I tried.

 

Right so we have a whole new set of problems now that I can't figure out where to begin. I was running my Windows about to start over trying to do final scans and nothing at all was working. Combofix everytime I ran and redownloaded was "corrupt", I couldn't install Comodo, and various other things. My frustration level with this computer has risen exponentially since I was about to restart. I did a Windows reinstall from my official WinXP Sp2 cd and deleted the partition, rebooted to Recovery Console to try Fixmbr a few times after rebooting to which I got the message that the MBR was nonstandard or invalid MBR. Redid the MBR with the Console and each time it gave me that message. I got fed up after 4 tries and decided to install clean WinXP. I found the source of my Server issue btw, it was because I was uninstalling File and Printer services at XP install and after, it gave me the same thing, once reinstalled, Server reappeared. To note, I was downloading IE8 fro Microsoft's site and installed it, it didn't perform the malware check each time I tried but did everything else. I got suspicious after that and the usual Windows Update icon in my Start Menu was not working again. So I redownloaded Combofix and I got the following log I've included. It appears, even my first download was able to be infected. If I didn't need stupid Windows I wouldn't bother but I have a suspicion it's not any better if I use Mandriva either. I'm sorry this is such a frustrating exercise, but I really thought it was all done and over with, so I'm back at square one again. I deleted the whole Windows partition from Mandriva out of frustration now. At leasta this time when I tried I didn't get a message saying my hdd and external (which wasn't plugged in at all at the time) overlapped, whatever that means and wouldn't let me do anything. I have a strange feeling I'm gonig to have to just buy a whole new hard drive, or is this not going to even help?

Note I couldn't download SP3 from Windows or Mandriva, Windows downloaded a 2mb file every time and Mandriva downloaded a 37 out of 316 mbs file as if it were done.

I included the 2nd Combofix scan as it has a snapshot for some reason.

 

I was actually installing from a clean actual official Windows CD and the first thing I tried to do was update, I hadn't done anything to it yet and I couldn't use Update icon, I had to go to the actual Microsoft site. When I did that, it wouldn't even work that way. I then tried to download IE8 and install it and even then I couldn't run the updates. I tried Firefox to do it after and even a fresh FFox wasn't letting me. So I used Combofix to verify then it showed my IE files were already infected. This is the fastest I had the problem begin yet. So then I did some research. It turns out you can get these rootkits/bootkits on your actual hardware even BIOS and CPUs! Already knowing how to reset the BOIS I did that, though I am sure Flashing it may be my only option for that, I am afraid my expansion cards or other hardware maybe be affected. Either that or I have multiple infections in my hardware. Either way, it's a lot more complicated than I thought. I'm going to attempt to Flash the BIOS next, I don't want to air out all my frustrations until I am more sure about what is actually going on. This whole experience is making me wish I didn't "need" a computer. At least I'm learning again about this sort of stuff even though it's just because I am being forced. I'll take up the boot record stuff into the software section at least, maybe that can be done, but the rest is way too likely harware related since supposedly format and reloads are the way to deal with this and I keep having random things at random times appear that I've never had problems with, ever. I used to be quite safe at computing, I got lazy and greedy and now I'm paying for it. Let that be a lesson to the kiddies out there at least at what can happen these days. Go to the wrong site, get the wrong file, whatever, and you may have to completely dispose of your computer.

 

Maybe I'm mistaken in assuming I can trust all Microsoft apps and their website?

 

Thank you I also thought of another detail. I was using cmd: netstat -n and I had all legit connections to Microsoft services (supposedly) and then later I saw 3 connections to and from 127.0.0.1, is that something to be concerned about?

 

I found something about the MBR going through some other threads and I saw Tim mention that Dells have non-standard MBRs, well I do have a Dell. I don't need restore partitions (never was a fan after attempting to clean someone else's PC a few years ago by restoring, all it did was restore then infections!), so I got rid of all of that. I still have the non-standard MBR message, that may be normal, so the question is now I guess: Is there a point to trying to fixmbr with my non-refurbished version of XP or my original OEM that did not come with this computer XP? Have I actually done anything when trying fixmbr or not?

The rest of my problems remain however re: constant reinfections.

 

Hmm, it's gotta be just the files being detected and that .vir extension being attached to it when quarantined. If I had known a pre-fab could be such a headache I'd have waited to build another one. I've been "playing" with partitions, found a hidden one wiped, it installed WinXP/Mandriva dual boot, no more internet for XP kind of thing, managed to jumper my mobo so I could actually put in passwords, really fortified it this time and hopefully all goes well. I'm thinking that hidden partition is what's giving the (likely falso positive) rootkit alert, or am I way off base here again?

Thanks again, you have the patience of a saint

 

Sorry for delay, I just got back from a computer sabbatical, after a month of frustration and I got a paid AV program put on here just this weekend. Nothing found of course except on my external. For some reason AVs don't like anything mIRC related, doesn't matter though I haven't used that in ages, so no loss.

In reply, I did try "fixmbr" several times and it did nothing to change the ComboFix error. I have resolved not to do anything like that until I came back and now with a "proper" AV and a clear mind . I even tried an old Win 9x boot disk's FDISK (fdisk /mbr to be precise) and that didn't change it either, ComboFix still gives the rootkit warning. I used several programs and methods to attempt clearing the mbr and deleting partitions. I did redo WinXP clean since then have my AV and I'm ready to go. The last message I typed about using XP/Mandriva dual boot on separate partitions did not work out at all and I watched the strangest things happen like my downloads from this site for SUPERANTISpyware and all associated programs downloaded as completely different files. I had downloaded things like Foobar from here and for some reason even the filename, information about the file were all SUPERANTISpyware related but the icon and program itself was Foobar! The ame happened for other files but were actually copies of IrfanView. When I tried to run ComboFix after that, it disappeared right off my desktop in front of my eyes! I know what that usually means and I couldn't take it any more. I'm thinking possibly my Mandriva iso is problematic OR when installing it something happened, I don't know any more. I have honestly never had any such problems on my computer in all the years I have had them, but I have seen some weird things on others but not random things like those that have been happening to me. Any ideas? (I hope this isn't considered bumping)

 

Actually that is what I've been trying out, just clean XP and use it for a while and see. I'm quite afraid to try the scans again, it's draining trying to figure this out for me as well so now I'm in the avoidant phase I guess until my curiosity gets the better of me that is. So far so good at least. This chicky was getting ready to launch this thing out my window for a while I have to admit. If I could actually remove the drive I would but their completely unremovable, I'm told because that's what they do to refurbished computers. How annoying for someone who's used to working with situations like this having the infected drive slaved since that is how I used to scan other people's computers.

Yes I have posted in there and a few people have been asking me things and I've been trying their suggestions on recommendations.

I forgot to empahsize that when downloading the strange files I was using Mandriva fully installed and that's why I think that might be the culprit, plus when I tried to delete the files they wouldn't. I have them on my external, scanned them and nothing was found. When running the files themselves they had a COM window briefly pop up for each one and nothing happened, if that is of any use to anyone.

 

I have potentially good news for both of us, since I installed AV it found 2 trojans: Artemis and generic.dx. Those were some of the kaspersky programs I downloaded directly from their site or so I thought, apprently d/ling from there isn't so secure since they are zipped files. I don't remember running them and when if I did though. Finally getting something at least.

 

You're right it was McAfee and the folders and files were on my external called
KLANTIFL.ZIP and KLWK.ZIP. Can't remember if I renamed them or not but they were quarantined at least. I managed to delete most of the files I couldn't that were undeletable (corrupted it says) but I'm still in the process of ridding the last 2, which I don't know why they are unremovable. I hope to hell my external isn't dying so I'm doing a chkdisk which would probably take a day or so for something so large. I'm hoping it isn't a false positive, this situation annoying. I haven't run my Mnadriva cd at all since my reload since I think that may be the main culprit just in case.