Defining Malware?

XP Pro, SP3, current updates, ThinkPad T60p, 3 gigs memory, a formerly undamaged brain

Although I know of no common anti-malware software that will touch rootkits, my searches here would seem to indicate that MG includes them in the malware category.

I have reason to believe I may have a rootkit. For one thing ZoneALarm keeps disappearing. I _may_ have reason to believe that the Zlclient PF file had a problem - whether or not that could apply. ZA _seems_ stable since I deleted the PF this evening in response to RootlkitRevealer data.

Another reason is that RootkitRevealer shows a whole block of report lines on the same date.

The Sophos Anti-Rootkit recommended here finds absolutely nothing, while the microsoft RootkitRevealer shows 17 lines of results in far less scanning. It showed only 2 the last time I ran it, and those are said to be "normal" false positives.

I know this is only once-over-lightly, but I'm not certain I'm even in the right place to ask about this, nor do I have any experience that would tell me how to even ask the right questions about rootkits. I've only known they exist for maybe a year.

But here is one specific question.

- - Is it normal for HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\System\ to be unopenable using regedit? - -

I don't want to go on a wild goose chase if none of this is looking at least within possible reason. Comments? Answers? Questions?

 

In all seriousness I should say that I may have heard about them. Since my stroke, my memory is all shot to bits. That also makes getting through procedures difficult, because I can't remember much of the things I'm told to read.

 

My first reply following read me first procedures.

 

Second report.

The engine @ conduit.com extension reported in gooredfix.txt does not appear in Firefox addons.

 

OK, I have removed all of my free AV programs, but I had let NONE of them install background guards on the system. They were available as backup scanners only. Only my subscription anti-malware was running constant-watch processes on system functions, looking for suspicious system uses and internet surfing blocking dangerous sites listed on a long and growing list.

I have carefully watched the likes of Zone Alarm which would install system guards on top of anything else if you aren't on top of it.

 

I am running the READ & RUN ME. When I got to the redirection thing I did it because Firefox had refused to run some things based on some redirection problem (which problem IE will sail right through).

I am now way beyond that, trying to run SuperAntiSpyware. SAS is one of the AV's I removed, per instructions. I had never had a moments trouble from it before, but now either the regular version or the portable version will only run for about 15 seconds then disappears.

MalwareBytes is another AV I removed per instruction. I usually ran it about once a week without problems. Should I skip SAS and go on to MalwareBytes?

BTW, ZA is still disappearing.

 

On some sites Firefox would say the redirection involved would never conclude - or some such word. I got the impression it meant it would go into some sort of endless loop. Firefox would not even attempt to load the site.

Don't skip this!

In my OP I specifically stated that it was a once-over-lightly post. I still have no idea _if_ it involves rootkits. I used to be good with this stuff, but now not so much. That's why my system statement included having "a formerly undamaged brain." I remember some stuff (sometimes) and forget some stuff (usually), but there never seems to be a way to explain _briefly_ that I'm now generally computer savvy and have a vocabulary not common among dummies, but that a lot of my computer knowledge has just disappeared - in apparently random fashion. And my memory is sometimes good for about 3 minutes.

A trial lawyer saying, "You can remember this but not that?" is either a fool or simply being vicious. Everyone remembers some things and forgets some things.

I was basically asking if the issue warranted looking into. I know most support forums want expert questions, but when I don't know spit about what's going on I don't know what to say about it. I could go on forever and never give you what you needed to know. So I try to give a general outline so someone will know if it's worth asking me specifics. I was surprised when you immediately started me on READ & RUN.

There have been other problems as well, but I never know whether to think, "That's seems odd," or think, "That is a sure sign of (whatever.)" I haven't found a forum yet that seems to grasp the fact that a non-expert cannot ask complete/expert questions despite "Ask This Way" readme's. Now I can't bring to mind those other problems.

You obviously know about such nuances.

You are apparently referring above to MalwareBytes. I'm sorry I missed anything saying these should be kept. I went very slowly trying to cover every detail.

There are many Anti-xxx programs out there with many odd names. My subscription anti-xxx program does viruses, spyware, cookies, dangerous site warnings, suspicious system events and what else. With every company trying to do everything I had no idea the names of _any_ of the programs could actually mean _anything_.

I finally got something out of SAS.

It took me hours to get MalwareBytes to scan. Like SAS, it would run about 15 seconds and disappear. I kept uninstalling, renaming, re-installing until it finally ran this morning. But I don't know where I am in the instructions so I won't include those two logs with this post.

I think those crap writers have read your renaming instructions and are writing extra code to handle it.

 

I'm not trying to be funny here. To me exact specifics are expert. Knowing which to post is as well.

I'm still working on it. Right now I'm having a lot of trouble getting combofix to work. The "self-propelled" Recovery console download/installation fails, so I'm trying to figure out how to get it off the internet. Everything I've found at MS is all talk and no downloads.

ComboFix's access to the registry hasn't worked. The error seems to be saying regedit couldn't open it, but it works for me using Start\Run.

Here are some of the other problems that have popped into my head. I'm assuming you still want them.

1. Trouble uninstalling apps with "Add or Remove".
2. A clipboard utility lost all of its config and failed at resetting them until reboot.
3. Screen zoom in Firefox quit working until reboot.
4. Wordpad keeps losing its position/size data.
5. My wireless printer connection quit and I can't even reinstall it. Reboot didn't help that.
6. I lost my MagicJack screen display to off the screen - my fault. But there was a screen flash/dance and suddenly the display was back onscreen, so that was a good fluke.
7. Several times I've had a program jump to a sub-routine _AS IF_ I had already selected it from a pick list. It seems to read my mind....

 

OK, I think I'm done. In passing - if I had skipped on to the next thing as advised I would have nothing to send.

That is to say, every single one of the programs on the roster refused to run at least once, often requiring un-installation and attempt after attempt to get results in some cases.

Yesterday I had the most recent "problem." I don't know if it comes under your category of "probably not malware." I have a folder named "newdown" I have used forever to download files into, with half a dozen folders inside it, including "Installed," "Hold" and "Waiting."

_Everything_ in the newdown folder just disappeared yesterday sometime, I don't know when. Files, folders, files in folders...

Of course there are the "problems" mentioned above when the antibug programs stopped running repeatedly. Some ran for several seconds; some ran almost to completion.

RootRepeal went almost to the end and stopped on an error. This prevented any report.

Combofix skipped over something (register manipulations?) with an error saying "Registry Editor failed." I don't know if Registry Editor means regedit or not.

So here goes with the log attaching.

 

One more log.

 

I just recalled another problem which someone (right here?) said I was pretty much an idiot for not realizing it was malware. That brought me here after running 6 different malware programs and finding nothing.

The Desktop tab disappeared from my Display Properties window. It took several days to cure that one.

 

• 
  None of the items you listed seem to be in the analyse.exe listing. There is one similar to the O16 one above. It starts with DPF: {E but the rest of the numbers are different with 2883E8F, etc.
  
  I may have seen them at one time, but I had to reboot and they aren't there now. The reboot was __extremely__ slow. The boot logo screen was up for about 3 minutes, as opposed to mere seconds. Other things were correspondingly slow. I thought my machine had gone belly up because the black screen before the blue screen was showing for about 6 weeks.

 

Attached are the logs.

Possibly related question: Is there normally a folder in c:\ named IBMWORK (c:\IBMWORK)? I found the c:\newdown folder mentioned earlier _in it_ (c:\IBMWORK\newdown) - and an _empty_ folder of the same name (c:\newdown)in its place in C:\. I can imagine accidentally dragging newdown up into an existing IBMWORK folder (altho my dragging mistakes are invariably _down_), but not having it replaced with the empty folder. (c:\IBMWORK is now empty.)

(The above happened some time during the process of following READ & RUN. It may or may not be related.)

Once again running combofix produced 4 errors saying:

....."Registry Editor has encountered a problem and needs to close. We are sorry for the inconvenience."

I noticed in the combofix log the following.

"c:\docume~1\User\LOCALS~1\Temp\IYLWS.exe"
"c:\docume~1\User\LOCALS~1\Temp\OAMVOD.exe"

You probably know what it means but I decided to note that these files do not exist as listed above (or apparently anywhere on c:\).

ZoneAlarm is still vanishing after maybe 10 minutes. If I restart it it lasts only about a second. I'm going to uninstall and reinstall it _again_.

 

While doing READ & RUN, I was at one of the "somewhere else" sites listed there, that was also a malware removal site. They included combofix and said you should remove Recovery Console when done. But I've seen nothing like that anywhere else.

Do you have an official recommendation about this?

 

Thanks. I figured as much.

 

New popup

Just since I've been doing the READ & RUN thing (apparently) I've had a new popup appearing when I try to run _some_ programs. It asks me if I want to run the program I just clicked on.

Is there a writeup on this somewhere?

 

If you would tell me what you are referring to it would help. If you mean the networking posts, I figured someone would get all PO'd if I put that in the malware department. Npow it's because I didn't.

If it helps any, I _certainly_, _certainly_ don't have the brain power to do anything to the computer while my head is full of this mess. And I _have_ read cautions against it. While waiting for answers on the malware reports I thought putting my head onto another subject might reduce the brain stupor.

If it's about the new pop-up, it came up with the malware stuff, so I asked if it was related for sure.

I'm not sure what you are irritated about.

 

If not, at least I can get answers on that forum where the guy keeps telling me I DO HAVE malware. I don't even remember the forum or the issue now. Some forum dealing with a specific program.

Is there any way to find out for certain? Speaking of which, is it your opinion that the registry should just grow indefinitely, or is there some other way to handle that?

Thanks

Thanks. I did that at least 6 times. The last time I did it (last night) I did _not_ run the update. It seems to have worked fine since then.

I just discovered 5 items in Task Scheduler (c:\windows\tasks) apparently put there by software I tried out in the past, judging from the names. I assume they are intended to bug me about repeating previous trials. But it occurred to me to ask if these things could cause problems. In any case, can there be any repercussions from removing them - referring specifically to the ones named for software I tried weeks ago?

And I don't know if it is relevant, but they all have an appended switch, "-shakeicon". And the tasks themselves have names like "prismshakeicon" and "expressburnshakeicon." I know my memory is shot to bits, but I'm certain I've never heard of shakeicons before.

 

What would make almost all of those malware utilities in READ & RUN refuse to run? They would start then stop or error out. It took me hours on each one of them to get to the log output.

 

Reinstall XP Pro!?!?!?

I guess nothing here was definitive about the absence or presence of malware. (I'm still holding off on major changes, per READ & RUN directions.)

 

Ah. If I had said "thus far" it would have meant I was still digging. So I thought you were still digging.

 

To the best of my knowledge I've done everything you said to do. At least I tried. Apparently you found something I missed?

 

Semantics. You say above "we have not found any malware. Earlier you said you hadn't found any _thus far_. I took "thus far" to mean you had farther to go. It's as simple as that.