I need help with a suspected rootkit infection on 2 computers. Both computers are showing the same behavior.
I have Norton Internet Security 2009 (trial) installed on a fresh copy of WinXP Pro SP3. I downloaded a file off a p2p network that seemed to run fine, but also spawned msa.exe that NAV immediately quarantined. I figured this was the end of it, and I did not see anything weird on the system till much later.
Later I noticed a process called b.exe that I killed, located, and deleted from my temp folder. Suspecting spyware (and assuming NAV would be protecting the computer from any virii) I downloaded Spybot S&D and HijackThis. Spybot installed without issues and I was able to update it and apply immunizations. However a few seconds after I kicked off the first system scan it shutdown unexpectedly. When I tried to run it again, I got a 'Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.' A closer examination reveals that SpybotSD.exe has been marked as a hidden system file. Uninstalling Spybot did not remove the file, neither did the freeware program 'Dr. Delete'.
I have 2 partitions, the one running XP is formatted NTFS, and the other one is FAT32. I downloaded both the HijackThis installer and the HijackThis standalone executable. I installed (on NTFS) and was able to launch HijackThis. However it shutdown unexpectedly when I tried 'scan and save log'. A subsequent try showed that HijackThis.exe is now suffering the same fate as SpybotSD.exe.
The standalone copy of HijackThis.exe was on my FAT32 partition, and still launches, and can still be deleted; though it still shutdown when I try to a scan option. I'm assuming this is because of differing (or lacking) file security options available on FAT32.
Googling (Firefox and IE still work fine) the symptoms led me here and to believe that I might have a 'max++' rootkit infection. However I did not install Windows Police Pro and am not getting harassed. NAV still seems to be working fine, but a full system scan is showing my computer as clean.
Following instructions in the preparation guide, I downloaded dds.scr, disabled NAV (to avoid it's script killer), and kicked it off. It starts a command prompt window which then closes after a brief message. I notice that eds.exe gets spawned, but after waiting almost 30 minutes for it, I killed it. It never gave me any txt files after multiple tries.
I then tried the full report option in RootRepeal. RootRepeal gets unexpectedly shutdown while scanning the 'Files' section and after only reporting eventlog.dll is the Windows/system32 folder as being locked. I was able to get a RootRepeal report if I didn't scan the 'Files' section. The report is attached.
Finally, browsing through the other posts here, I also tried rkill.pif. It gave me the following output ("INFO: No tasks running with the specified criteria. The operation completed successfully" (this last line posted 5 times)) before refreshing my screen, restarting the windows task bar, and launching explorer focused on 'My Documents'. It also created two files: pev.exe and ncmd.cfxxe that I'm assuming are benign.
So far I've tried all these steps on my laptop (my desktop is in similar state), and the report is from there. Please let me know if you want me to do steps differently for each computer affected.
Thanks in advance for your help.
Edited by chaytah, 28 October 2009 - 11:54 PM.