Possible Rootkit?

Discussion in 'Malware Help (A Specialist Will Reply)' started by Avatarrr, Feb 17, 2010.

  1. Avatarrr

    Avatarrr Private E-2

    Hello All,
    I'm posting because of the all the recent rootkit scares. I'm not sure if I have one or not. I ran the instructions in the "read-me&run" section to the best of my abilities. Guess we'll see how well I read and followed instructions.

    I had an issue the other day while browsing the web, suddenly, my cursor ceased functioning, the system froze and appeared to go to sleep. I have hibernation turned off and did not do anything that would send the system to sleep I.E.; hit the sleep button on a menu. There is no keyboard button that does such a function. Very shortly after the cursor went dead, the monitor went to sleep. The only way to recover the system was to reboot. I am aware that Microsoft patched some vulnerability that would allow an attacker to freeze a Win7 machine. As far as I know, this machine is fully patched.

    Anyway, I had been reading about the XP BSODs and the relation to the LD3 rootkit, it occurred to me that maybe my machine received an update for that kit. I had downloaded several rootkit detectors (I understand the GMER is blind to this variant) and ran them, the only that failed was RootRepeal, which complained, among other things, that its SSDT driver was faked.

    I did some searching and arrived here. The machine, overall, seems to run well with a few quirks (screenshots attached) that I had thought were probably related to the processor or MB, but, it did occur to me that this might also be a sign of a rootkit.

    Machine specs are as follows:
    System Manufacturer - HP Pavilion D4650Y NOV, 2006
    CPU - Intel Core Duo E6600 Conroe 775 LGA 65nm
    MOBO - ASUSTek Basswood 1.05
    Chipset - P965/G965 1066 FSB Rev. C2
    SouthBridge - 82801H (ICH8DH)
    BIOS - Phoenix Tech Ver. 3.17 8/21/07
    GI - PCI-Express x16
    Memory - 2x2048 PC2-6400 (400MHz) DDR2 OCZ
    Seagate 80GB SATAII Barracuda 7200.10 7200 rpm
    WD Caviar 80GB SATAII 7200 rpm
    HD Controller - Intel(R) ICH8R SATA RAID Controller, RAID 0, Gen2
    Readyboost - Sandisk U3 Cruzer Micro 4GB (smart features removed)
    Graphics Card - ATI Radeon HD 4770, 512 MB, Driver Version 10.1
    Sound Card - Creative SoundBlaster Audigy4 WDM, Driver 6.0.1.1371
    Power Supply - Ultra LSP 550W
    OS - Microsoft® Windows 7 Professional 32bit
    Version - 6.1.7600 Build 7600
    DVD/CD - PHILIPS SPD2513P
    Network Adapter - Intel(R) 82562V 10/100 Network Connection
    Adapter Type - Ethernet 802.3, Driver 9.12.16.0
    APC Back-UPS ES 550
    Linksys Wired Router

    I have zipped all the results from the tests to minimize how many files to upload.

    Thank you in advance
     

    Attached Files:

    Avatarrr, Feb 17, 2010
    #1
  2. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Welcome to MajorGeeks!

    I am currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Our queue is working the oldest threads first.

    Thanks for your patience.
    dr.m
     
    dr.moriarty, Feb 18, 2010
    #2
  3. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    :)

    Good news! You don't have any malware problems showing in your logs.

    Only minor thing to do:

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double-click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work through the below link:

    Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif
     
    dr.moriarty, Feb 19, 2010
    #3
  4. Avatarrr

    Avatarrr Private E-2

    Thank you for your time and effort. This is both good and bad news as now, it seems, I have hardware problems.
    Curiously, today mbam no longer run throwing a VB run-time error 383. This may also explain why rootrepeal didn't run, hardware problems.

    I have investigated the BHO entry in the past, it is for the MSN messenger icon which would show in IE if it was enabled. Since it is not enabled, there is no harm in deleting it, as far as I know.

    Again, thank you for your time and effort <thumbs up>
     
    Avatarrr, Feb 19, 2010
    #4
  5. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    You're welcome!
     
    dr.moriarty, Feb 19, 2010
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds