Malware in first allocation unit

In April (definitely not a good month for me) while my other computer was ailing I was running an old eMachines upgraded with win XP Sp2 on dial-up PeoplePC, reading email and surfing the internet, when I suddenly saw popups and windows opening like crazy on the computer. I guessed right then that I’d probably experienced a drive-by infection. Sorry. I cannot remember what I was looking at but it may likely have been a Google search. I looked at Start->Search for that day and saw dozens of new files being created before my eyes. Then I just turned the computer off.
When I turned it back on, it said something about the first allocation unit, and I thought, “Oh, no, a boot sector virus maybe!”
I am now ready to tackle it and see if I can save my hard drive.
I ran the win XP cleaning procedure and a bunch of other things since I had a clue of where the problem is. See attached and tell me what to do next.
Thanks

I know some scans are out-of-date. For the first round I was not connected to internet. Only after I got some handle on things have I gone online. I am updating but it is taking forever on dial-up.

 

more scans

 

more

 

more

 

more
Going offline again
Just 20 MB of updates to Comodo and it still is not saying it is fully updated despite it saying the download was 100% before I rebooted.

 

More background
I had Panda IS on the computer and it was hard to keep it updated with dialup. Since I was looking at at least 2 months of updates, I uninstalled Panda and put Avast on since it was more up-to-date than Panda and there would be less to download in the way of updates once I went back online.
I ran all the scans hoping one of them would neutralize this malware before I plugged in the phone line to the modem again. I decided to put Comodo firewall on as the last step before going online again. The McAfee Singer scan had gotten stuck on C:\windows\Temp\_avast4\unp65350751.tmp. Since Avast antivirus did not find anything and the copy of Comodo I had on CD was just a week old, I decided to remove Avast and install both Comodo antivirus and the firewall.
When Comodo ran its first scan, a Maze 3D.scr file came up. I went to the other room to google it on the other computer and found out it was likely an old Win 98 screensaver. In the meantime, Comodo had found 5 more items. As I reached for the mouse, a box came up “Do you really want to close before deleting these items?” and covered most of the text. I thought I saw RECYCLER, system restore. F prot.exe and hide as words within the files, but as I clicked NO on the box, Comodo immediately deleted them before I could write them down. I looked for a log within it but could not find one. Only one file was left in pending for my review: C:\Documents and settings\application data\superantispyware.com\superantispyware\SDDLLS\UIREPAIR.dll. All that scanning and then I did not get to see the name on those files; is there any other log I can look at to see what they were? Nothing in Recycle bin.
Today, Comodo antivirus says its real time scanner has never been updated despite all the downloading and updating last night. So whatever malware is there is still active and seems to have disabled Comodo. There are 4 more files in pending: All C:\windows\Software Distribution\download\bunch of #’s and letters\bit8 or bit 2.tmp, 3 of the 4 associated with Microsoft Corporation. Update files? I did not let the files from 4.131.xx.xxx come through while I was downloading Comodo and Superantispyware updates. I thought they might be Windows update files, but I was unsure so I blocked them.
I’m not eager to go back online with the computer as it is right now, so I am sending this from an uninfected one.

 

Re: c:\program files\IS09Panda.exe Yes, I will delete it. I did not notice that the uninstall left it.

Quote: You should not be saving/downloading files to the C:\Program Files folder anyway. This is a bad practice.
I think the Panda CD upon installation chose that directory. I usually let software install in whatever default choice it presents. So, should I be choosing somewhere else when programs on CD want to install in C:\Program Files? I never knew it was risky. What is a better choice you would recommend for me to use in the future? For downloaded software what would be best? Where is best to install all the malware-fighting software I download from MajorGeeks when a location is not specified? I definitely want to use best practices.

Usually, I do not have a lot on my desktop. But, because dial-up was the only connection on this computer, I just copied the antispyware programs off a CD I had burned on another computer and copied them over to the desktop. I’ve left them pending hearing from you, and now that I know they are finished with, I’ll be glad to get rid of them. Ditto for the JAVA files and what else you recommended deleting.

I am certain that there was malware of some sort. I wondered about the Windows\System32\CatRoot2\edb.log and WINDOWS\System32\CatRoot2\tmp.edb files found in Avast Virus Removal Tool because they would not scan. Also wondered why the RootRepeal scan terminated with too many files to enumerate in dir \\?\C:\ windows\software distribution\ * and so many invisible to the Windows API (whatever that means!)and then error code 0x0000003.

Yes, I agree with you that running Win XP on this computer is stretching it. The eMachine upgraders forum told me it was possible to run Win XP and the Win XP upgrade wizard said go ahead too. So I gave it a try (and learned from it!) Max memory according to the eMachine upgraders is 512MB--if you can find the low-density type it will accept. I had not tried to upgrade beyond the 256. I still have the restore CD with Win 98SE and I can roll it back. The hard drive is still FAT32. I did not convert to NTFS when I upgraded to XP.

Another bunch of questions: Does going back with System Restore to a date before infection do any good? Does reformatting get rid of malware? Does using an erase program get rid of malware? Specifically does it get rid of anything lurking in the first allocation unit? I may just reformat and go back to Win 98 and store archive and backup files. Any suggestions on how to best revert?

Thanks. I value your advice.

Addendum: While I was looking at the desktop to see what needed to be cleaned up, I wondered what else I could run that I hadn’t already. I had SysInspector on the CD and decided to run it and Dr Web cureIT. That SysInspector gave an extremely long and detailed report, highlighting many files that might need some review I suppose but not finding anything definitive. It saved to a ZIP file and on extraction became an XML file that caused the box to pop up like an active X and/or download risk. I tried to rename the XML and save it.as a txt file and it came out jumbled together and hard to read. Dr Web cureIT took around 4 hours to run and found MGTools as a false positive and the SysInspector as probable SCRIPT.virus. They were incurable and moved. I had updated Superantispyware when I updated Comodo Security so I reran it and got Trojan.agent Gen-PEC due to pev.exe. All false positives? Moot, I guess, since I’d like to just start all over with a clean disk.

 

First of all, thanks so much for your detailed reply.

I like your C:/Downloads method. I will definitely do all my future downloads that way.

Agree with you on all the rest. I did buy another computer in May.

One last bunch of questions: How do I know if malware has gotten into BIOS? Any signs that should be red flags? How does malware get into BIOS? I've read that flashing the BIOS can be risky, so I would not want to try it unless it was absolutely necessary.

Thanks again for all your help! I've learned a lot.

 

Chaslang,
I have to tell you—
I had you close my other thread on Spyware Disabled McAfee Security that ran around July 4 to 16. I remained suspicious though, that malware might still be lurking. Yesterday I was googling about Avast scan errors and archives disabled and figured out how to run Avast as a THOROUGH scan with Archive files ENABLED. The STANDARD scan with Archive files DISABLED is what had run when I first installed Avast and it did not find anything. I ran the scan on my old admin account that had been set up 3 years ago (Compaq_Owner) when I first got the computer and not my limited user account that I just set up recently. The scan took a couple hours and it found a rootkit: Win32: Rootkit-Gen (rtk)! See attached log file.

I scheduled a Boot-scan (since I had not done that at installation) that ran when I turned on the computer this morning, but I don’t think anything shows there.

What had made me suspicious was that, besides the things I mentioned in that last post in the thread, when I logged into AT&T DSL Yahoo account on my admin account the URL changed to https:\\edit.client.yahoo.com\membercenter. How do I find out what IP address that is going to? Any idea what mischief this rootkit is up to?

Avast has the bad files in the “Chest.” As I am new to Avast, I assume that is quarantine. That PeoplePC related stuff, I’m not worried about—PeoplePC has shown up as Adware on other scans before. How do I get rid of the rootkit now that it has a name? Do I need to change all my passwords on email accounts? What else should I do?

Maybe you can reopen the closed thread and put this with it.
Thanks.

 

Addendum
When I looked in Comodo firewall at active connections, I saw a second svchost.exe with UDP out 192.168.0.2:64886 as source. The thing disappeared while I was looking at it. The 64886 is the port, right? Googling, I also found this:
# Dynamic/Private Ports Ranging from 49152 to 65535, these things are rarely used except with certain programs, and even then not very often. This is indeed the usual range of the Trojan, so if you find any of these open, be very suspicious. So, just to recap:
QUOTE
Well Known Ports 0 to 1023 Commonly used, little danger.
Registered Ports 1024 to 49151 Not as common, just be careful.
Dynamic/Private Ports 49152 to 65535 Be extremely suspicious.

 

Chaslang,
Thanks for all the great info! Wish I had your deep knowledge. (Sigh)

The venerable eMachines will be retired from the internet whether I go back to Win 98SE or keep XP. No rush to decide.
The Compaq will continue to get a watchful eye. When I figure out all I want to ask about it, I’ll post in the Software Forum as you suggested. No rush there either.
The new computer got the benefit of your How to Protect yourself from malware! I just looked at it again and see you updated on 7/7/09, so I’ll see what else I need to do.

Sorry to have posted information in the last two posts that should have gone into the thread on “Spyware Disabled McAfee Security.” Since July 16 was the last date we chatted in it and I had said you could close it, I did not think it would still be open. Just for future reference, how long does a thread remain open? I certainly always want to do the right thing and I’m glad to obey the MG rules.

Just answer my last question and then you may close this thread. Thanks again.