Possible Rootkit

Hello,

I noticed my PC started acting a little goofy a couple of days ago, being laggy loading web pages, slower than usual booting, etc, so I did an SAS complete scan but it didn't find anything. I decided to try a few rootkit scanners and they all seem to think I have something. The references to ZwConnectPort, pIofCallDriver and catchme.sys looked a little worrisome to me.

My hard drive is encrypted with PC Guardian so I don't know if it is confusing the scanning software, or if I do actually have a rootkit. It's probably overkill, but I've attached three logs, one from GMER, one from Root Repeal and one from Trend Micro's Rootbuster. I used Radix as well, but I won't waste your time with that too.

If you have a little time to take a quick look and advise I would really appreciate it. Btw, I had to sanitize the logs a bit, but I don't think it will interfere with anything. Thanks a lot.

 

No it isn't, that's my sister's. Sorry, probably should have said that at the outset.

 

I noticed in some other threads that you ask for mbrcheck logs, so I'm attaching one here. Thanks.

 

Ah beat me to it. You're fast!
Yes I backed up my stuff about an hour ago, I was contemplating flatting the whole thing. I'll have to look for my Windows CD, hopefully it's around somewhere. Will the MBR repair wipe the drive, or are you asking about the backup just in case?

 

Ok, so I found a CD and booted to the recovery console and did a "fixmbr", but the PC won't boot now. It says "error loading operating system". My guess is that it's probably because the encryption boot stuff got wiped. I'll have to see if there's a PC Guardian tool to fix it. On the plus side, at least there's no keystrokes for it to log any more.

 

Hi again,

I believe you are right about the special boot record, which most likely was created by the encryption software. The fixmbr command did warn me that it was non-standard, but I did it anyway. I had a pretty good idea it was going to make the drive inaccessible, but I wasn't that bothered about it. For various reasons I have since physically destroyed the drive and will install another soon.

I appreciate your time and help on this, and will probably be back in the next couple of days to continue the other thread I have going.

Thanks again.