Asus Eee PC rootkit issue

I've got an Eee PC 1000H running Windows XP. Last year it started behaving strange in a couple of ways. I didn't quite make the connection initially but at some point it occurred to me I might have contracted some malware that McAfee didn't pick up. I downloaded a rootkit removal tool from Kaspersky (TDSS killer) and it rid me of my problems. Great! Several months later however the problems returned and this time the tool had no effect. The latest version of the tool even tells me there is no infection.

These are the phenomena:

1. My netbook's native resolution is 600 x 1024 but since this infection it always comes up in 768 x 1024 (both after cold start and wake-up from standby) requiring me to manually adjust the resolution every time.
2. Often it will switch from my own secure home router to the neighbour's open router even though there's nothing wrong with my own one and its signal strength is much greater. (My other PC never ever does this).
3. When this happens, the list of networks is not shown. How I usually get around this problem is by 'repairing' the wireless network connection from the connections menu. It will often tell me it failed but even so it usually reverts to my home router. When it doesn't actually work I just reboot.
4. The other odd thing is that when the netbook is working fine and I can check my list & order of preferred networks (something that doesn't work when the problems occur) this neighbour's router isn't in it at all.
5. One weird phenomenon of which I'm not sure if it's related is that frequently my netbook will all by itself revert from standard XP look to Windows Classic look.
6. Recently, when sending emails to friends with a hotmail address I get an error message back stating the mail was rejected because too much spam was sent from some IP address that I suspect is associated with my neighbour's router.

I should add that last time I did a full scan with McAfee it told me it had detected 51 rootkits but apparently it does nothing with them.

I have also downloaded and installed Kaspersky AV (trial version) and run it for a month but it made no difference whatsoever.

I've followed the procedures suggested here (SAS, MBAM, ComboFix, RR and MGtools). The following things did go wrong:

• After running SAS, I lost my network connection. I guess it's the WinSock LSP Chain issue but the suggested measures had no effect. My netbook is connected to my router but remains busy acquiring a network address.
• MBAM gave an error message (see below) probably because of the lacking internet connection: the definitions were 40 days old.
• With ComboFix, the MS Recovery Console was not installed, obviously.
• MGtools gave this error message but continued after I pressed OK. Sorry about the Dutch -- I've selected English wherever possible. What is says: ProcessDLL.exe - error tracking services of the Common Language Runtime. The application has generated an exception that cannot be handled. Process ID = 0x68 (104), thread ID = 0x8d8 (2264). Press OK to end the application. Press CANCEL to trace errors in the application.

It seems to me that after these procedures, my (rootkit?) infection is still present.

Any suggestions what I can do to get rid of this infection? And, first of all, how I can restore my network connection?

 

Here are the MGtools logs plus screenshots of two error messages I ran into during the procedures (as explained above).

 

Here are the logs of TDSSKiller and MBRCheck.

You say the logs confirm my PC was not infected, but what does it mean then what SAS says about hi-jacked DNS?

Also, how to fix my internet connection? The fix option in SAS had no effect. Should I restore some or all of the (registry) items SAS quarantained?

Thanks for your advice.

 

Well, my ISP confirmed today it's been blacklisted by MSN because some users got caught in a phishing attempt leading them to send massive amounts of spam. Apparently it's not my PC acting as a spambot so that's a relief.

Reinstalling the drivers for the wirless network adapter eventually fixed the problem of forever acquiring a network connection. Only Skype works so far though; Firefox, IE and Outlook don't have internet access yet. I've checked my firewall settings but in McAfee these applications have the right permissions while the Microsoft firewall is disabled. Is there any other firewall I'm overlooking? Did one of the programs I installed from here this week come with its own firewall?

 

After fruitlessly tinkering with every possible menu option I'm getting rather desparate. I need no proxy server and have none configured. IP address is auto-configured. DNS server is too, though I've also tried the ISP-advised DNS addressess but that made no difference.

I've tried and it made no difference.

Still, only Skype works. Other VoIP and IM programs don't. Yahoo IM troubleshooting gave me the following log (attached) and MSN Messenger seems to confirm my suspicion it's something to do with the DNS.

In my browsers (IE8 and FF3.6) typing IP addresses works but URLs not.

Like myself, my ISP's helpdesk has no clue how to fix this. I'll be extremely if I can get back to where I was before I started the malware scans. Thanks for any such advice.

 

Are you sure? If I go to the command prompt now and ask this I ge a physical address, IP address, gateway, DHCP, DNS server (as below) etc. for the wireless connection.

I've looked into this but the oldest system restore point I have is of 17 august, 2 days after I lost my network connection while running SAS.

Done.

My ISP recommends having them autoconfigured but otherwise using 88.159.1.200 and 88.159.1.201 as primary and secondary DNS server.

 

It appears my DNS Cache got corrupted. I have not (yet) figured out how to fix/reset it. Flushing it does not help. The only way around it at the moment seems to be disabling it, so that I've done.

Although this looks like an acceptable workaround to me, I will still explain my suspicions of some infection.

My suspicions started when (despite a pop-up blocker) I first got frequent epoclick pop-ups. It usually took a while before anything other than a blank page appeared in them but when it did, I believe it was a browser-based game called Farmerama.
McAfee would complain several times a day there was a security risk because it could not connect to the internet to check for updates while there was a connection.
When I checked the DNS settings, they were set to 93.188.164.248 and 93.188.160.248 -- somewhere in Ukraine.
Those phenomena have thankfully disappeared since I first ran that rootkit removal tool.

Still, something fishy is going on. I thought that after all this network mishap I had at least got rid of the neighbour's open router but I haven't: The netbook still occasionally connects to it, even though it is not in the list of preferred networks.

 

I had not, so far. Thanks! This has now solved the issue that MAM couldn't access its updates. Also Skype seems to be working fully again. Only VoIPbuster can't connect yet but I have been helped a lot.

It also seems I don't havee to reset the screen resolution all the time anymore. No clue how come but glad about it.

Again, thanks! Consider this issue closed. (If needed I'll take it further in the networking forum like you suggested.)