BleepingComputer.com: Potential rootkit infection

Hi there,

I have here what seems like a rootkit connecting to a botnet. Kaspersky AV did not detect the rootkit being installed but the network monitor has picked up this very suspicious network activity. Every time the machine is booted it downloads small amounts of data from suspicious IP's that are obviously in a pattern, and there is what seems like a C&C server with a resolvable name.



So far with no results I have run:
Full scan with up to date Kaspersky
TDSSKiller
MBAM

Edit: Machine is XP, fully patched. Have just checked a Windows 7 machine and the same behaviour occurs....

All show nothing. I have also tried running Wireshark then connecting to the network, the dodgy IP's are connected to but Wireshark shows nothing. Not sure where to go from here any advice is much appreciated.

This post has been edited by fastandcrumblie: 11 January 2012 - 10:34 AM

Welcome aboard

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
    
  • Security Center
    
  • Windows Update
  
  
• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:

• Report IE Proxy Settings
  
• Report FF Proxy Settings
  
• List content of Hosts
  
• List IP configuration
  
• List Winsock Entries
  
• List last 10 Event Viewer log
  
• List Installed Programs
  
• List Users, Partitions and Memory size

Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.