Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reformatted and reinstalled to get rid of rootkit.


  • This topic is locked This topic is locked
5 replies to this topic

#1 swisschard

swisschard

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 23 July 2010 - 06:10 PM

Hello:

My first post. I hope I did it right.

A couple of weeks ago my computer started to behave strangely. The symptoms were
1. Firefox would crash on startup, but its process would keep on running and would reappear even after I killed it. IE started to behave similarly.
2. My drives, especially the external one, started to show many accesses.
3. The registry entry for userinit pointed to desktoplayer.exe, a program I never saw before. (c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe)
4. Malwarebytes and F-Prot repeatedly found many viruses and malware with names like. backdoor.bot, trojan.bot, stolen.data, and malware.trac. They kept coming back.

I basically gave up. I used Windows Backup to back up the entire system to the external drive, I reformatted the disk and installed XP SP3 from CD. Everything went well for a while, but then the symptoms returned. I think it happened when I installed Firefox (from Mozilla) and my bookmarks file (from the backup), but maybe not.

So I did it again---reformatted and reinstalled. This time I was very careful to copy very few data files from the backup. I still havenít installed Firefox or my bookmarks. The machine seems to be clean. Malwarebytes and F-Prot say so, and I donít have any symptoms.

My concerns are
1. How can I be sure that there is not a rootkit still embedded deep in my system ready to pounce?
2. How can I get my files out of the backup without reinserting the rootkit into my system? (I suspect the backup is infected.) I can scan the files, but if there is a rootkit in one of them, I doubt if F-Prot or Malwarebytes are going to detect it.

I was hoping the tools on this site could help with concern 1. I donít have any idea how to address concern 2.

Iíd appreciate any help you could give me. Thanks much.

-----------------------------------------------------------------------------------------------------------------------------


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 18:22:15.85 on Fri 07/23/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3314.2759 [GMT -4:00]

AV: F-PROT Antivirus for Windows *On-access scanning enabled* (Updated) {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\software2\process explorer\procexp.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\89YZGX23\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
TCP: {2FE05109-DD86-4824-9643-FCD9ED6DF416} = 4.2.2.1,4.2.2.6
Notify: igfxcui - igfxdev.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
Hosts: 192.168.1. 9 huangho
Hosts: 192.168.1.20 caesar
Hosts: 192.168.1.28 colorado
Hosts: 192.168.1.34 iceman
Hosts: 192.168.1.45 memphis

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [2010-7-22 699608]
R2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\frisk software\f-prot antivirus for windows\FPAVServer.exe [2010-7-7 80568]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-7-21 1691480]

=============== Created Last 30 ================

2010-07-23 22:20:10 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-07-22 22:06:27 4194304 ------w- c:\windows\system32\cdintf400.dll
2010-07-22 22:05:11 0 d-----w- c:\program files\QuickBooks 2010
2010-07-22 22:05:11 0 d-----w- c:\program files\common files\Intuit
2010-07-22 22:05:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Nuance
2010-07-22 22:05:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Intuit
2010-07-22 22:05:00 90 ------w- c:\windows\QBChanUtil_Trigger.ini
2010-07-22 22:05:00 0 d-----w- c:\docume~1\alluse~1\applic~1\SQL Anywhere 11
2010-07-22 22:05:00 0 d-----w- c:\docume~1\alluse~1\applic~1\COMMON FILES
2010-07-22 22:03:46 0 d-----w- c:\windows\system32\XPSViewer
2010-07-22 22:03:13 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-22 22:03:13 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-22 22:03:13 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-22 22:03:13 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-22 22:03:13 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-22 22:03:13 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-22 22:03:13 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-22 22:01:00 0 d-----w- c:\program files\MSXML 4.0
2010-07-22 21:56:51 0 d-----w- c:\windows\Intuit
2010-07-22 21:12:50 0 d-----w- c:\program files\WS_FTP
2010-07-22 17:04:10 0 d-----w- c:\program files\GPLGS
2010-07-22 17:03:49 87552 ------w- c:\windows\system32\cpwmon2k.dll
2010-07-22 17:03:47 0 d-----w- c:\program files\Acro Software
2010-07-22 16:53:37 376 ------w- c:\windows\ODBC.INI
2010-07-22 16:53:35 17920 ------w- c:\windows\system32\mdimon.dll
2010-07-22 16:53:12 0 d-----w- c:\program files\Microsoft ActiveSync
2010-07-22 16:53:06 0 d-----w- c:\windows\SHELLNEW
2010-07-22 16:34:18 0 d-----w- c:\docume~1\admini~1\applic~1\Foxit Software
2010-07-22 16:32:54 0 d-----w- c:\program files\Foxit Software
2010-07-22 15:41:40 0 d-----w- C:\em-attach
2010-07-22 14:32:15 48640 ------w- c:\windows\system32\INETWH32.DLL
2010-07-22 14:32:15 317952 ------w- c:\windows\system32\Roboex32.dll
2010-07-22 14:32:15 1712128 ------w- c:\windows\system32\gdiplus.dll
2010-07-22 14:32:06 0 d-----w- c:\program files\Qualcomm
2010-07-22 13:54:23 0 d-----w- c:\windows\system32\NtmsData
2010-07-22 12:00:35 991232 -c----w- c:\windows\system32\dllcache\ieframe.dll.mui
2010-07-22 12:00:35 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-07-22 12:00:35 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-07-22 12:00:35 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-22 12:00:35 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-22 12:00:35 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-07-22 12:00:35 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-07-22 12:00:35 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-07-22 12:00:35 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-07-22 10:58:36 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-07-22 10:58:36 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-07-22 10:58:02 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-07-22 10:56:24 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-07-22 10:54:15 13646 ------w- c:\windows\system32\wpa.bak
2010-07-22 10:52:18 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-07-22 10:52:17 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-07-22 10:52:17 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-07-22 10:51:14 26488 ------w- c:\windows\system32\spupdsvc.exe
2010-07-22 10:51:14 0 d-----w- c:\windows\system32\PreInstall
2010-07-22 10:51:13 0 d--h--w- c:\windows\$hf_mig$
2010-07-22 10:24:40 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-07-22 05:10:50 0 d-----w- c:\docume~1\admini~1\applic~1\.clamwin
2010-07-22 05:10:44 0 d-----w- c:\program files\ClamWin
2010-07-22 05:10:44 0 d-----w- c:\documents and settings\all users\.clamwin
2010-07-22 05:05:46 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-22 05:05:45 20952 ------w- c:\windows\system32\drivers\mbam.sys
2010-07-22 05:05:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-22 04:53:12 0 d-----w- c:\docume~1\admini~1\applic~1\FRISK Software
2010-07-22 04:45:46 699608 ------w- c:\windows\system32\drivers\FStopW.sys
2010-07-22 04:43:05 0 d-----w- c:\windows\system32\appmgmt
2010-07-22 04:23:33 0 d-sh--w- c:\documents and settings\administrator\UserData
2010-07-22 03:55:25 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-07-22 03:55:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-22 03:49:27 0 d-----w- c:\program files\FRISK Software
2010-07-22 03:49:27 0 d-----w- c:\docume~1\alluse~1\applic~1\FRISK Software
2010-07-22 03:32:13 262344 ------w- c:\windows\system32\PROUnstl.exe
2010-07-22 03:32:13 1904 ------w- c:\windows\system32\SetupBD.din
2010-07-22 03:30:20 940794 ------w- c:\windows\system32\LoopyMusic.wav
2010-07-22 03:30:20 146650 ------w- c:\windows\system32\BuzzingBee.wav
2010-07-22 03:30:19 0 d-----w- c:\windows\system32\Lang
2010-07-22 03:27:31 0 d-----w- c:\program files\Realtek
2010-07-22 03:21:51 0 d-----w- c:\windows\system32\ReinstallBackups
2010-07-22 03:21:50 53248 ------w- c:\windows\system32\CSVer.dll
2010-07-22 03:21:26 0 d-----w- c:\program files\Mythicsoft
2010-07-22 03:21:11 0 d-----w- c:\program files\ToniArts
2010-07-22 03:20:21 0 d-----w- c:\program files\Trend Micro
2010-07-22 03:19:42 0 d--h--w- c:\windows\system32\GroupPolicy
2010-07-22 03:17:02 0 d-----w- C:\software2
2010-07-22 03:16:51 0 d-----w- C:\junk
2010-07-22 02:19:23 0 d-sh--w- c:\documents and settings\all users\DRM
2010-07-22 02:19:10 0 d--h--w- c:\program files\WindowsUpdate
2010-07-22 02:18:40 0 d-----w- c:\program files\common files\MSSoap
2010-07-22 02:17:15 0 d-----w- c:\program files\Online Services
2010-07-22 02:17:10 0 d-----w- c:\program files\Messenger
2010-07-22 02:17:07 0 d-----w- c:\program files\MSN Gaming Zone
2010-07-22 02:16:34 0 d-----w- c:\program files\Windows NT
2010-07-21 21:09:04 0 d-----w- c:\program files\common files\ODBC
2010-07-21 21:09:02 0 d-----w- c:\program files\common files\SpeechEngines
2010-07-21 21:08:42 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2010-07-22 02:17:34 21640 ------w- c:\windows\system32\emptyregdb.dat
2010-05-07 22:17:44 84512 ------w- c:\windows\SOUNDMAN.EXE
2010-05-07 22:17:44 358944 ------w- c:\windows\vncutil.exe
2010-05-07 22:17:38 9721888 ------w- c:\windows\RTLCPL.EXE
2010-05-07 22:17:38 1833504 ------w- c:\windows\SkyTel.exe
2010-05-07 22:17:38 1489440 ------w- c:\windows\RtlUpd.exe
2010-05-07 22:17:32 51232 ------w- c:\windows\system32\RtkCoInstXP.dll
2010-05-07 22:17:32 129568 ------w- c:\windows\RtkAudioService.exe
2010-05-07 22:17:26 19523616 ------w- c:\windows\RTHDCPL.EXE
2010-05-07 22:17:20 2815520 ------w- c:\windows\ALCWZRD.EXE
2010-05-07 22:17:20 2177568 ------w- c:\windows\MicCal.exe
2010-05-07 22:17:14 64032 ------w- c:\windows\ALCMTR.EXE
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 22:45:24 1251872 ------w- c:\windows\RtlExUpd.dll

============= FINISH: 18:22:29.39 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:41 AM

Posted 31 July 2010 - 09:50 AM

Hello swisschard

Welcome to BleepingComputer smile.gif
==========================

QUOTE
My concerns are
1. How can I be sure that there is not a rootkit still embedded deep in my system ready to pounce?

For this a rootkit can onl;y hide when it is active.
So a right click and scan with your antivirus program should catch whatever may be on the backup drive.
When you plug in the drive hold down the shift key to bypass autorun so as to not unknowingly infect your system if there is an infection.

Doing the above should remove any threat on the machine.

QUOTE
2. How can I get my files out of the backup without reinserting the rootkit into my system? (I suspect the backup is infected.) I can scan the files, but if there is a rootkit in one of them, I doubt if F-Prot or Malwarebytes are going to detect it.

Again a rootkit can only hide when it is active.
Scanning with the protection programs will be sufficient anough to take care of anything on the backup drive.


If you want a second opinion on the antivirus detection you can do an online scan of the external drive as well.
I would use Kaspersky Online Scanner

Let me know if have any further issues.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 swisschard

swisschard
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 31 July 2010 - 01:14 PM

Thanks for you help.

Just curious about the gmer log in ark.txt. I don't know how to read it, and there isn't much there, but does it show anything to be concerned about?

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:41 AM

Posted 31 July 2010 - 05:23 PM

No malware activity.

How are things running?

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 swisschard

swisschard
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 01 August 2010 - 06:53 AM

Pretty good so far. The main problem is me. After that near-death experience I'm now kind of gun-shy. I flinch at every little thing, but I'm learning a lot about malware, and I'm setting up more defenses in my computer, so some good is coming out of it. I think I'm okay now. Thanks much for the help.



#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:41 AM

Posted 01 August 2010 - 08:20 AM

You are welcome smile.gif


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users