Rootkit Problem?

Cooky · Nov 30, 2010

Hello Chaps,
Really appreciate this facility, I have searched and followed the "read & run me first" and still have problems. RootRepeal tells me that I have an MFT rootkit on my USB drive that I use for backups.

History: computer (XP Pro SP3) has Avira installed, which is updated and a scan run every night about 4am. I don't use a software firewall, but my router (THOMSON TG585 v7) is set to be a hardware firewall (NAT).

I was away for a few days last week and left the computer switched on. When I returned on Saturday, I had a warning from my ISP about excessive downloads. When I looked at Task Manager, there were some processes running that I did not recognise - Google Analytics among them, but I did not keep a complete record.

I ran Avira and MalwareBytes scans, which found nothing significant. However, Network Probe found connections to servers which I didn't expect, again some were Google, but I didn't record the details.

Meanwhile, the computer is slowing down and freezing for a few seconds every few seconds and I saw processes in Task Manager which I did not recognise. Sorry to be vague, but I wasn't writing stuff down at this stage and it's changed.

I found this site by Googling a process which I did not recognise that was taking up most of the CPU time - I can't tell you what it was, as when I followed the instructions on this forum, it wiped my browsing history :-(

Anyway, I have followed the instructions in your thread "READ & RUN ME FIRST" and attached the results. The major finding seems to be that RootRepeal found an MFT Rootkit on my USB backup drive. GMER can't find it.

Meanwhile, my computer is running slowly and freezes for a few seconds every few seconds...

Logs attached as recommended.

Next post contains the rest of the logs...

Hope someone can help.

Cheers,

Ian

Cooky · Nov 30, 2010

More logs...

Damnit, can't find where RootRepeal found MFT rootkit... but it did!

Cheers,

Ian

TimW · Nov 30, 2010

You still need to attach the log from running C:\MGTools.exe --> C:\MGLogs.zip.

Cooky · Dec 1, 2010

Hi Tim,
I guess I overlooked that one, as I got the rootkit infection message from RootRepeal, then I was sidetracked to running GMER.

When I ran GMER on all 3 of my HDDs (C:, D:, G: ), it hung the whole computer when it gets to D:\System Volume Information (completely frozen with taskbar missing, needed a hard reset). If I run GMER on one disc at a time, it concludes that all is OK.

Rootrepeal also gave a series of "Sector mismatch" errors for my G: drive (an external USB drive), so I ran Chkdsk, which took forever, but reported that it had done some repairs to the disc.

So, I ran MGTools just now, here's the report.

Thanks,

Ian

TimW · Dec 1, 2010

I am not seeing much in the way of malware on your system. But let's do this:

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

Driver::
phfxbsax

File::
c:\windows\system32\drivers\vowxoqfo.sys
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

Cooky · Dec 2, 2010

Hello Tim,
Thanks for your patience and help. The computer seems to be OK when first rebooted, I'll let you know if that changes.

I ran the Combofix script last night and it hung up after updating itself and doing the "Combofix shall now restart" thing. I had to hard-reset this morning and re-run. It ran OK this morning, logs attached as requested.

At the moment, no unrecognised processes seen in Task Manager and none of the intermittent freezing which I've been experiencing. I still haven't managed to get GMER to run on all 3 drives - I'll keep trying.

You did see the RootRepeal log which flagged the MFT rootkit? Attached to my second post as RootRepeal1.txt.

Cheers,

Ian

TimW · Dec 2, 2010

Yes, I did look at the RootRepeal logs. I am not real worried about it. Let's just do this:

Plug in your G:\ drive then run the below:

Please also download MBRCheck to your desktop

Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)

It will show a Black screen with some information that will contain either the below line if no problem is found:

Done! Press ENTER to exit...

Or you will see more information like below if a problem is found:

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.

MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

Attach this log to your next message.

Cooky · Dec 3, 2010

Done - MBRCheck found a non-standard MBR on drive G: - could this simply be because of the USB interface?

TimW · Dec 3, 2010

Right click the drive and tell me what it says under properties. What do you have on that drive? Can you format it?

Cooky · Dec 3, 2010

Drive is used for backup - properties as attached screenshot.

I have not formatted the drive, I am just using at as it came, but I could reformat it. Drive manual also attached if this helps.

Regards,

Ian

TimW · Dec 4, 2010

Then I would not worry about the drive.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Support MajorGeeks with Geek Wear!

Cooky · Dec 8, 2010

Hi Tim,
Sorry for the delay in replying, I have been away for a few days.

Many thanks for your help, much appreciated. I have looked for a link to donate to the site, but I can't find one - how do you support MajorGeeks?

Anyway, it would seem that my computer is OK now, but I'm troubled that we couldn't find anything definite - I have no doubt that there was some unauthorised software using my computer even if I was unable to exactly describe the symptoms. Now the computer seems clean, but I don't know why.

I have followed the advice in the "how to protect yourself from malware" link and, when I checked, I discovered that Windows Update had been turned off, which I certainly didn't knowingly do - many overdue updates and the latest "Malicious Software Removal Tool" have now been downloaded and installed.

Penultimate question - the advice in "how to protect yourself from malware" is that I need a software firewall as well as my NAT router hardware firewall. Why is this? I used to run ZoneAlarm free until it grew into a monster and started taking over my computer a couple of years ago. When I was researching a replacement, I read several articles (can't quote chapter & verse now though) which led me to believe that a software firewall was unnecessary on a simple home installation like mine.

Finally, I will install a software firewall once I find an appropriate one - I have found most to be serious bloatware in the past. The "how to protect yourself from malware" recommends Comodo and Outpost, but the thread is dated 2004 - I can't seem to find a more up-to-date recommendation on MajorGeeks. Can you point me in the right direction for a simple, effective, lightweight, non-intrusive firewall?

Thanks again.

Cheers,

Ian

TimW · Dec 8, 2010

The How to Protect yourself thread is updated quite often. In fact it was updated a few weeks ago when AVG was removed from our list of recommended AV software. You might want to consider PCTools firewall as an alternative. We recommend a software firewall because Windows firewall is inadequate and you need to be able to block not only incoming but outgoing connections. :major

Log in or Sign up

Rootkit Problem?

Cooky Private E-2

Attached Files:

RootRepeal report 11-30-10 (11-52-43).txt

ComboFix.txt

ComboFix-quarantined-files.txt

SUPERAntiSpyware Scan Log - 11-30-2010 - 10-04-24.log

Cooky Private E-2

Attached Files:

mbam-log-2010-11-30 (10-49-14).txt

Rootrepeal.txt

RootRepeal1.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Cooky Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Cooky Private E-2

Attached Files:

ComboFix.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Cooky Private E-2

Attached Files:

MBRCheck_12.03.10_09.49.41.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Cooky Private E-2

Attached Files:

G_Drive.jpg

UM_DesktopHD_USB_ENU.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Cooky Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member