Rootkit or Keyloggers?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by EcoGeek, Oct 5, 2012.

  1. EcoGeek

    EcoGeek Private E-2

    Need Help: Rootkit or Keyloggers?

    This notebook was infected about a year ago with a MRB rootkit. I reformatted and reinstall Windows7.

    I am running Windows 7, Avira 12 Premium, Malwarebytes, Spybot 1.6.2, Spywareblaster, Firefox 15.1, SuperAntiSpyware, WinPatrol.

    I tried to upgrade to Avira 13 which told me to uninstall most of the antimalware above which I didn't want to do since 12 worked fine with it. Avira 13 would not install properly and after several reboots and downloads, and repairs, it started working but I was getting suddenly a lot of outbound traffic.

    I then noticed all my Windows Restore point were gone and trying to create another one gave me a Catastrophic failure(0x8000FFFF) error message. The last malware did the same thing.

    Then I notice in WinPatrol 3 hidden files in the Windows\System32\Drivers which I tried to upload to VirusTotal. they would not upload. Running scans gave me EOF missing and the other was locked to system kernel by Trusted Installer and could not be deleted.
    Msft_User_WpdFs_01_09_00
    C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf

    Msft_User_WpdMtpDr_01_09_00
    C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf

    Msft_User_WpdFs_01_09_00
    C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf


    There were no detection of any malware with all 3 scanners but in event viewer reported errors all 3 scanners with Name not found or Access to file Denied

    So I don't know if Windows is corrupted or there is something nefarious going on.

    Thanks!
     

    Attached Files:

    Last edited: Oct 5, 2012
    EcoGeek, Oct 5, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Need Help: Rootkit or Keyloggers?

    You are not having malware problems. Your logs are clean and those files you mentioned are protected Microsot System files.

    You SHOULD NOT be running Spybot's Teatimer + WinPatrol + the antispyware protection in Avira.

    And if SUPERAntiSpyware or Malwarebytes are paid versions, then they also should not be running.

    I suggest that you immediately disable Spybot's Teatimer. WinPatrol is less of an issue being use with Avira. But I still would like to know about SAS and MBAM.
     
    chaslang, Oct 6, 2012
    #2
  3. EcoGeek

    EcoGeek Private E-2

    Re: Need Help: Rootkit or Keyloggers?

    SAS and MBAM both are paid versions. There was not a previous problem with them with Avira12. Only 13 asked me to remove them. I wasn't sure from a marketing ploy or by necessity.

    I rolled back to 12 and Windows was able create a restore point whereas before I got a fatal crash. So somehow installing Avira 13 with the other spyware, wiped out all my restore points. I know Avira is an antivirus program but didn't know they were effective as well at other kinds of malware. Avira 13 is too invasive for my tastes wanting you to install there search engine, toolbar, plugins and have everything go through their web servers. Ah, no thanks. Time to look for another anti-virus program.

    Thanks for all your help!
     

    Attached Files:

    EcoGeek, Oct 6, 2012
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Need Help: Rootkit or Keyloggers?

    You're welcome.
    Then you need to uninstall even more. Over protection is actually very bad. Besides slowing down your system, it actually has the negative effect of actually possibly providing less protection because you will have all of these programs fighting with each other which could make it difficult if not impossible for anyone of them to properly detect and remove infections since each program could view the other's actions as malware actions. Also it messes up Windows Security Center. And it can even cause installation and execution problems withf other software including ( possibly ) the issue you are having with the new Avira.



    You had 5 antispyware protections tools running:
    1. Avira has both antivirus and antispyware protection
    2. You also had Spybot's Teatimer - also antispyware protection
    3. Mbam - antispyware protection
    4. SAS - antispyware protection
    5. WinPatrol - antispyware protection
    We strongly recommend only one antispyware protection programs. I would stick with MBAM. SAS I would keep only as a scanner and disable any active protection. Spybot I would either uninstall or at a minimum disable Teatimer. WinPatrol is also another that should be uninstalled unless you prefer it over MBAM which I would not!!!

    Many new versions of free programs ( not just antivirus programs ) are starting to add things like Ask Toolbar and Search to help them pay for the free programs. And some pay tools ( like Symantec ) have also added Ask Toolbar/Search to possibly keep costs down or increase revenue.

    You can try Avast or you can switch to Microsoft Security Essentials.


    NOTE: Side observation, you need to free up space on your Windows boot drive or swap it for a newer larger disk. Your logs showed the below
    Code:
    Size 39.06 GB (41,943,035,904 bytes) 
Free Space 2.36 GB (2,530,709,504 bytes)
    Windows can start to run poorly and crash when free disk space gets this low.
     
    chaslang, Oct 7, 2012
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds