bandwidth flogged, computer slow, rootkit found

hey guys.

Recently my computer has been running pretty slow (compared to before). Although i haven't had any error messages, this is pretty annoying. Apart from that, my internet usage reaches 1gb a day easily, when im not even downloading anything.

I have Avira premium 9 installed on my computer with the latest update, as well as threatfire, superantispyware and malwarebytes. I've tried all of these, but nothing seems to change.

I saw a post on this site about running rootrepeal, so i ran it and got the following results, apparently i have a rootkit on my F drive?

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/02/14 23:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA7CB1000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5DA000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA762B000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume F:\
Status: MBR Rootkit Detected!

Path: Volume F:\, Sector 1
Status: Sector mismatch

Path: F:\Anime
Status: Visible to the Windows API, but not on disk.

Path: F:\System Volume Information
Status: Visible to the Windows API, but not on disk.

Path: F:\Recycled
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "TfSysMon.sys" at address 0xb9ebca1c

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba7bbb8c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "TfSysMon.sys" at address 0xb9ebcc10

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "TfSysMon.sys" at address 0xb9ebccb6

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba7bbbaa

#: 119 Function Name: NtOpenKey
Status: Hooked by "TfSysMon.sys" at address 0xb9ebc90c

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xba7bbb78

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba7bbb7d

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba7bbbb4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba7bbbaf

#: 247 Function Name: NtSetValueKey
Status: Hooked by "TfSysMon.sys" at address 0xb9ebce52

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "TfSysMon.sys" at address 0xb9ebeb30

==EOF====EOF====EOF==

Anyway, what steps should i take now?

PS: Sorry if i posted it in the wrong section, I was getting so confused about which one to post it in (i did read the stickies), so i just put it here

Edited by Orange Blossom, 20 February 2010 - 03:40 PM.
Move to log forum. ~ OB

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.

Reopened at user's request

--------------------------------------------

Please follow the instructions for DDS/Defogger/Gmer above.

Thanks

Ok. So the problem is pretty much what it was before - I detected a MBR rootkit with rootrepeal, and my computer is running slow (though this could be because of many programs installed).

So far I've tried:
- scan with Avira (updated)
- Scan with malwarebytes/Superantispyware
- Have threatfire running in the background

I downloaded and ran DDS, attached is the results.

I ran DeFrogger but i got an error. The disabled log is attached.

I ran GMER, clicked on all options, did a scan of all my drives. The computer restarted by itself when it was scanning C/program files. I tried again, same thing happened.

Can you give me advice on what to do now please?

PS: Attached the latest scan i did with rootrepeal, the drive that was F is now H. (I changed the drive letter).

And in case i didn't make it clear before, H Drive is a 1tb external harddrive with movies/anime.

Edited by raven2000, 02 March 2010 - 09:05 AM.

MBR rootkit is one of the nasties around at the moment.

We need to run Combofix to attempt to remove it or at least to detect it. First Rkill will help the run.

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4

• Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
• Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
• A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
• Please post the resulting log in your next reply.

Then

Please download ComboFix from one of these locations:

• Bleepingcomputer
• ForoSpyware
• GeeksToGo

* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
• Double click on Combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

I've followed your instructions, attached are the results..

Edited by raven2000, 03 March 2010 - 12:58 AM.

The logs looked fine.

Can you run Gmer and see if it also finds the rootkit?

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

When i do a scan of my whole computer, it restarts when checking C drive. I did a scan of H drive only (where the rootkit was detected) and it came out clean. Attached is the result:

No MBR rootkit on C or H drives.

In fact, we've found nothing on the PC so far.


Can you run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

So i did a full computer scan with Mbam, while turning off my internet/avira, updated Mbam etc. It came out totally clean..

Im wondering now, could it be that rootrepeal is giving me a false positive?

It could be, MBR is picked up by CF and Gmer and neither have flagged it.

One other possibility, that the MBR rootkit you have is the new variant.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  CODE
  :filefind
  Helpassistant
  
  
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:49 on 09/03/2010 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "Helpassistant"
No files found.

-=End Of File=-

HMm. What now?

Now I'm thinking that the false positive is right.

There is another new tool which can check for the MBR rootkit

Reboot the PC. On rebooting download this file and run it.

Click Start, Run and type cmd. Then type helpasst -mbrt


This will give us a definitive answer.

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,

m0le